Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe

Overview

General Information

Sample name:SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
Analysis ID:1501382
MD5:a53393a2f0eb90d65e0bfe5c98e04096
SHA1:88c415fa91b3e6a30c7420f364e2ebba70a29aec
SHA256:364bdfd38cbaf67b35e1ec8f1618ec4a9c3bc932bce5ad370edbf95c0115670a
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe (PID: 2656 cmdline: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe" MD5: A53393A2F0EB90D65E0BFE5C98E04096)
    • svchost.exe (PID: 4284 cmdline: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bea0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1415f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e4a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16762:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", CommandLine: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", ParentImage: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe, ParentProcessId: 2656, ParentProcessName: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe, ProcessCommandLine: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", ProcessId: 4284, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", CommandLine: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", ParentImage: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe, ParentProcessId: 2656, ParentProcessName: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe, ProcessCommandLine: "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe", ProcessId: 4284, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeReversingLabs: Detection: 42%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeJoe Sandbox ML: detected
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.2228380308.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2226135767.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.000000000314E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000003.2228380308.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2226135767.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.000000000314E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe, 00000000.00000000.2003364214.0000000000E82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5402c89f-b
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe, 00000000.00000000.2003364214.0000000000E82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c8febbc1-9
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b71b3e28-0
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6763366b-2
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C5E3 NtClose,2_2_0042C5E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030235C0 NtCreateMutant,LdrInitializeThunk,2_2_030235C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022B60 NtClose,LdrInitializeThunk,2_2_03022B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03022DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03024340 NtSetContextThread,2_2_03024340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03023010 NtOpenDirectoryObject,2_2_03023010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03023090 NtSetValueKey,2_2_03023090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03024650 NtSuspendThread,2_2_03024650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022B80 NtQueryInformationFile,2_2_03022B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022BA0 NtEnumerateValueKey,2_2_03022BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022BE0 NtQueryValueKey,2_2_03022BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022BF0 NtAllocateVirtualMemory,2_2_03022BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022AB0 NtWaitForSingleObject,2_2_03022AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022AD0 NtReadFile,2_2_03022AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022AF0 NtWriteFile,2_2_03022AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030239B0 NtGetContextThread,2_2_030239B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022F30 NtCreateSection,2_2_03022F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022F60 NtCreateProcessEx,2_2_03022F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022F90 NtProtectVirtualMemory,2_2_03022F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022FA0 NtQuerySection,2_2_03022FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022FB0 NtResumeThread,2_2_03022FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022FE0 NtCreateFile,2_2_03022FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022E30 NtWriteVirtualMemory,2_2_03022E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022E80 NtReadVirtualMemory,2_2_03022E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022EA0 NtAdjustPrivilegesToken,2_2_03022EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022EE0 NtQueueApcThread,2_2_03022EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022D00 NtSetInformationFile,2_2_03022D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022D10 NtMapViewOfSection,2_2_03022D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03023D10 NtOpenProcessToken,2_2_03023D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022D30 NtUnmapViewOfSection,2_2_03022D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03023D70 NtOpenThread,2_2_03023D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022DB0 NtEnumerateKey,2_2_03022DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022DD0 NtDelayExecution,2_2_03022DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022C00 NtQueryInformationProcess,2_2_03022C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022C60 NtCreateKey,2_2_03022C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022C70 NtFreeVirtualMemory,2_2_03022C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022CA0 NtQueryInformationToken,2_2_03022CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022CC0 NtQueryVirtualMemory,2_2_03022CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022CF0 NtOpenProcess,2_2_03022CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040195C2_2_0040195C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168D32_2_004168D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028F02_2_004028F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101F32_2_004101F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031902_2_00403190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2732_2_0040E273
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023402_2_00402340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EB932_2_0042EB93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025002_2_00402500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFCC2_2_0040FFCC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFD32_2_0040FFD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A132D2_2_030A132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AA3522_2_030AA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF52A02_2_02FF52A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303739A2_2_0303739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B03E62_2_030B03E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE3F02_2_02FFE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030902742_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD34C2_2_02FDD34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C02_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030702C02_2_030702C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308A1182_2_0308A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C02_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030781582_2_03078158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BB16B2_2_030BB16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302516C2_2_0302516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B01AA2_2_030B01AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A81CC2_2_030A81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFB1B02_2_02FFB1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF1722_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309F0CC2_2_0309F0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A70E92_2_030A70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AF0E02_2_030AF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE01002_2_02FE0100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030147502_2_03014750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AF7B02_2_030AF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC7C02_2_02FEC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF07702_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A16CC2_2_030A16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300C6E02_2_0300C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A75712_2_030A7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05912_2_030B0591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE14602_2_02FE1460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308D5B02_2_0308D5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AF43F2_2_030AF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A24462_2_030A2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF05352_2_02FF0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309E4F62_2_0309E4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AAB402_2_030AAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AFB762_2_030AFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEEA802_2_02FEEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300FB802_2_0300FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A6BD72_2_030A6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03065BF02_2_03065BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302DBF92_2_0302DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AFA492_2_030AFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A7A462_2_030A7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03063A6C2_2_03063A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03035AA02_2_03035AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308DAAC2_2_0308DAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309DAC62_2_0309DAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF38E02_2_02FF38E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD68B82_2_02FD68B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B9502_2_0300B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030069622_2_03006962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA9A62_2_030BA9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF28402_2_02FF2840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8402_2_02FFA840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D8002_2_0305D800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF29A02_2_02FF29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF99502_2_02FF9950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301E8F02_2_0301E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AFF092_2_030AFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032F282_2_03032F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03010F302_2_03010F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064F402_2_03064F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF9EB02_2_02FF9EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0E592_2_02FF0E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306EFA02_2_0306EFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AFFB12_2_030AFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCFE02_2_02FFCFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEE262_2_030AEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2FC82_2_02FE2FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1F922_2_02FF1F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002E902_2_03002E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACE932_2_030ACE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEEDB2_2_030AEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CF22_2_02FE0CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A1D5A2_2_030A1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A7D732_2_030A7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008DBF2_2_03008DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300FDC02_2_0300FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0C002_2_02FF0C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEADE02_2_02FEADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03069C322_2_03069C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090CB52_2_03090CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF3D402_2_02FF3D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AFCF22_2_030AFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAD002_2_02FFAD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0305EA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FDB970 appears 268 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0306F290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03037E54 appears 96 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03025130 appears 36 times
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeFile created: C:\Users\user\AppData\Local\Temp\aut6786.tmpJump to behavior
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeReversingLabs: Detection: 42%
          Source: unknownProcess created: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe"
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe"
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: ntmarta.dllJump to behavior
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic file information: File size 1305088 > 1048576
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.2228380308.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2226135767.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.000000000314E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000003.2228380308.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2226135767.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.000000000314E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041904A push edi; iretd 2_2_00419052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00424021 push eax; iretd 2_2_00424022
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004240DD push edi; ret 2_2_004240E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004138E7 push 1968FB21h; iretd 2_2_00413901
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417903 push ebp; iretd 2_2_00417929
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041919F push esi; retf 2_2_00419254
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419203 push esi; retf 2_2_00419254
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D2C1 push ebx; retf 2_2_0040D403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411B46 push eax; iretd 2_2_00411B47
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D37A push ebx; retf 2_2_0040D403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB3D push esp; ret 2_2_0040AB82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413BE9 pushad ; retf 2_2_00413BFF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413BF3 pushad ; retf 2_2_00413BFF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB84 push esi; ret 2_2_0040AB96
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D457 push ebx; retf 2_2_0040D403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403400 push eax; ret 2_2_00403402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414C17 pushfd ; iretd 2_2_00414C18
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C33 push ds; retf 5F9Ah2_2_00418D42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00426D63 push cs; iretd 2_2_00426E07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416643 push edi; ret 2_2_0041664E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004246EF push edi; iretd 2_2_004246F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004086F0 push ecx; ret 2_2_004086F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CEFE pushad ; ret 2_2_0040CF1E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F690 push edi; iretd 2_2_0041F69E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404F69 push esi; iretd 2_2_00404F88
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE09AD push ecx; mov dword ptr [esp], ecx2_2_02FE09B6
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeAPI/Special instruction interceptor: Address: 16F3234
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D1C0 rdtsc 2_2_0305D1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 4744Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D1C0 rdtsc 2_2_0305D1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417883 LdrLoadDll,2_2_00417883
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD92FF mov eax, dword ptr fs:[00000030h]2_2_02FD92FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A30B mov eax, dword ptr fs:[00000030h]2_2_0301A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A30B mov eax, dword ptr fs:[00000030h]2_2_0301A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A30B mov eax, dword ptr fs:[00000030h]2_2_0301A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306930B mov eax, dword ptr fs:[00000030h]2_2_0306930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306930B mov eax, dword ptr fs:[00000030h]2_2_0306930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306930B mov eax, dword ptr fs:[00000030h]2_2_0306930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03000310 mov ecx, dword ptr fs:[00000030h]2_2_03000310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF02E1 mov eax, dword ptr fs:[00000030h]2_2_02FF02E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF02E1 mov eax, dword ptr fs:[00000030h]2_2_02FF02E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF02E1 mov eax, dword ptr fs:[00000030h]2_2_02FF02E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A132D mov eax, dword ptr fs:[00000030h]2_2_030A132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A132D mov eax, dword ptr fs:[00000030h]2_2_030A132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300F32A mov eax, dword ptr fs:[00000030h]2_2_0300F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB2D3 mov eax, dword ptr fs:[00000030h]2_2_02FDB2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB2D3 mov eax, dword ptr fs:[00000030h]2_2_02FDB2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB2D3 mov eax, dword ptr fs:[00000030h]2_2_02FDB2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE92C5 mov eax, dword ptr fs:[00000030h]2_2_02FE92C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE92C5 mov eax, dword ptr fs:[00000030h]2_2_02FE92C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA2C3 mov eax, dword ptr fs:[00000030h]2_2_02FEA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA2C3 mov eax, dword ptr fs:[00000030h]2_2_02FEA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA2C3 mov eax, dword ptr fs:[00000030h]2_2_02FEA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA2C3 mov eax, dword ptr fs:[00000030h]2_2_02FEA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA2C3 mov eax, dword ptr fs:[00000030h]2_2_02FEA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5341 mov eax, dword ptr fs:[00000030h]2_2_030B5341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062349 mov eax, dword ptr fs:[00000030h]2_2_03062349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AA352 mov eax, dword ptr fs:[00000030h]2_2_030AA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306035C mov eax, dword ptr fs:[00000030h]2_2_0306035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306035C mov eax, dword ptr fs:[00000030h]2_2_0306035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306035C mov eax, dword ptr fs:[00000030h]2_2_0306035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306035C mov ecx, dword ptr fs:[00000030h]2_2_0306035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306035C mov eax, dword ptr fs:[00000030h]2_2_0306035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306035C mov eax, dword ptr fs:[00000030h]2_2_0306035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF02A0 mov eax, dword ptr fs:[00000030h]2_2_02FF02A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF02A0 mov eax, dword ptr fs:[00000030h]2_2_02FF02A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF52A0 mov eax, dword ptr fs:[00000030h]2_2_02FF52A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF52A0 mov eax, dword ptr fs:[00000030h]2_2_02FF52A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF52A0 mov eax, dword ptr fs:[00000030h]2_2_02FF52A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF52A0 mov eax, dword ptr fs:[00000030h]2_2_02FF52A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309F367 mov eax, dword ptr fs:[00000030h]2_2_0309F367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308437C mov eax, dword ptr fs:[00000030h]2_2_0308437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300438F mov eax, dword ptr fs:[00000030h]2_2_0300438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300438F mov eax, dword ptr fs:[00000030h]2_2_0300438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B539D mov eax, dword ptr fs:[00000030h]2_2_030B539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD826B mov eax, dword ptr fs:[00000030h]2_2_02FD826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303739A mov eax, dword ptr fs:[00000030h]2_2_0303739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303739A mov eax, dword ptr fs:[00000030h]2_2_0303739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4260 mov eax, dword ptr fs:[00000030h]2_2_02FE4260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4260 mov eax, dword ptr fs:[00000030h]2_2_02FE4260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4260 mov eax, dword ptr fs:[00000030h]2_2_02FE4260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030133A0 mov eax, dword ptr fs:[00000030h]2_2_030133A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030133A0 mov eax, dword ptr fs:[00000030h]2_2_030133A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030033A5 mov eax, dword ptr fs:[00000030h]2_2_030033A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE6259 mov eax, dword ptr fs:[00000030h]2_2_02FE6259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA250 mov eax, dword ptr fs:[00000030h]2_2_02FDA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9240 mov eax, dword ptr fs:[00000030h]2_2_02FD9240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9240 mov eax, dword ptr fs:[00000030h]2_2_02FD9240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309C3CD mov eax, dword ptr fs:[00000030h]2_2_0309C3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD823B mov eax, dword ptr fs:[00000030h]2_2_02FD823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663C0 mov eax, dword ptr fs:[00000030h]2_2_030663C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309B3D0 mov ecx, dword ptr fs:[00000030h]2_2_0309B3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309F3E6 mov eax, dword ptr fs:[00000030h]2_2_0309F3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B53FC mov eax, dword ptr fs:[00000030h]2_2_030B53FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030163FF mov eax, dword ptr fs:[00000030h]2_2_030163FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03017208 mov eax, dword ptr fs:[00000030h]2_2_03017208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03017208 mov eax, dword ptr fs:[00000030h]2_2_03017208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE3F0 mov eax, dword ptr fs:[00000030h]2_2_02FFE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE3F0 mov eax, dword ptr fs:[00000030h]2_2_02FFE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE3F0 mov eax, dword ptr fs:[00000030h]2_2_02FFE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF03E9 mov eax, dword ptr fs:[00000030h]2_2_02FF03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5227 mov eax, dword ptr fs:[00000030h]2_2_030B5227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA3C0 mov eax, dword ptr fs:[00000030h]2_2_02FEA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA3C0 mov eax, dword ptr fs:[00000030h]2_2_02FEA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA3C0 mov eax, dword ptr fs:[00000030h]2_2_02FEA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA3C0 mov eax, dword ptr fs:[00000030h]2_2_02FEA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA3C0 mov eax, dword ptr fs:[00000030h]2_2_02FEA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA3C0 mov eax, dword ptr fs:[00000030h]2_2_02FEA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE83C0 mov eax, dword ptr fs:[00000030h]2_2_02FE83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE83C0 mov eax, dword ptr fs:[00000030h]2_2_02FE83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE83C0 mov eax, dword ptr fs:[00000030h]2_2_02FE83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE83C0 mov eax, dword ptr fs:[00000030h]2_2_02FE83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068243 mov eax, dword ptr fs:[00000030h]2_2_03068243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068243 mov ecx, dword ptr fs:[00000030h]2_2_03068243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301724D mov eax, dword ptr fs:[00000030h]2_2_0301724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306D250 mov ecx, dword ptr fs:[00000030h]2_2_0306D250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309B256 mov eax, dword ptr fs:[00000030h]2_2_0309B256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309B256 mov eax, dword ptr fs:[00000030h]2_2_0309B256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD26B mov eax, dword ptr fs:[00000030h]2_2_030AD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD26B mov eax, dword ptr fs:[00000030h]2_2_030AD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8397 mov eax, dword ptr fs:[00000030h]2_2_02FD8397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8397 mov eax, dword ptr fs:[00000030h]2_2_02FD8397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8397 mov eax, dword ptr fs:[00000030h]2_2_02FD8397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03021270 mov eax, dword ptr fs:[00000030h]2_2_03021270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03021270 mov eax, dword ptr fs:[00000030h]2_2_03021270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03009274 mov eax, dword ptr fs:[00000030h]2_2_03009274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE388 mov eax, dword ptr fs:[00000030h]2_2_02FDE388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE388 mov eax, dword ptr fs:[00000030h]2_2_02FDE388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE388 mov eax, dword ptr fs:[00000030h]2_2_02FDE388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03090274 mov eax, dword ptr fs:[00000030h]2_2_03090274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060283 mov eax, dword ptr fs:[00000030h]2_2_03060283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060283 mov eax, dword ptr fs:[00000030h]2_2_03060283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060283 mov eax, dword ptr fs:[00000030h]2_2_03060283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301E284 mov eax, dword ptr fs:[00000030h]2_2_0301E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301E284 mov eax, dword ptr fs:[00000030h]2_2_0301E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5283 mov eax, dword ptr fs:[00000030h]2_2_030B5283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE7370 mov eax, dword ptr fs:[00000030h]2_2_02FE7370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE7370 mov eax, dword ptr fs:[00000030h]2_2_02FE7370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE7370 mov eax, dword ptr fs:[00000030h]2_2_02FE7370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301329E mov eax, dword ptr fs:[00000030h]2_2_0301329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301329E mov eax, dword ptr fs:[00000030h]2_2_0301329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030762A0 mov eax, dword ptr fs:[00000030h]2_2_030762A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030762A0 mov ecx, dword ptr fs:[00000030h]2_2_030762A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030762A0 mov eax, dword ptr fs:[00000030h]2_2_030762A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030762A0 mov eax, dword ptr fs:[00000030h]2_2_030762A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030762A0 mov eax, dword ptr fs:[00000030h]2_2_030762A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030762A0 mov eax, dword ptr fs:[00000030h]2_2_030762A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030772A0 mov eax, dword ptr fs:[00000030h]2_2_030772A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030772A0 mov eax, dword ptr fs:[00000030h]2_2_030772A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A92A6 mov eax, dword ptr fs:[00000030h]2_2_030A92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A92A6 mov eax, dword ptr fs:[00000030h]2_2_030A92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A92A6 mov eax, dword ptr fs:[00000030h]2_2_030A92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A92A6 mov eax, dword ptr fs:[00000030h]2_2_030A92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9353 mov eax, dword ptr fs:[00000030h]2_2_02FD9353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9353 mov eax, dword ptr fs:[00000030h]2_2_02FD9353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD34C mov eax, dword ptr fs:[00000030h]2_2_02FDD34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD34C mov eax, dword ptr fs:[00000030h]2_2_02FDD34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030692BC mov eax, dword ptr fs:[00000030h]2_2_030692BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030692BC mov eax, dword ptr fs:[00000030h]2_2_030692BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030692BC mov ecx, dword ptr fs:[00000030h]2_2_030692BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030692BC mov ecx, dword ptr fs:[00000030h]2_2_030692BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B2C0 mov eax, dword ptr fs:[00000030h]2_2_0300B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD7330 mov eax, dword ptr fs:[00000030h]2_2_02FD7330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300F2D0 mov eax, dword ptr fs:[00000030h]2_2_0300F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300F2D0 mov eax, dword ptr fs:[00000030h]2_2_0300F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030912ED mov eax, dword ptr fs:[00000030h]2_2_030912ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B52E2 mov eax, dword ptr fs:[00000030h]2_2_030B52E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDC310 mov ecx, dword ptr fs:[00000030h]2_2_02FDC310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309F2F8 mov eax, dword ptr fs:[00000030h]2_2_0309F2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDC0F0 mov eax, dword ptr fs:[00000030h]2_2_02FDC0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308A118 mov ecx, dword ptr fs:[00000030h]2_2_0308A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308A118 mov eax, dword ptr fs:[00000030h]2_2_0308A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308A118 mov eax, dword ptr fs:[00000030h]2_2_0308A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308A118 mov eax, dword ptr fs:[00000030h]2_2_0308A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE80E9 mov eax, dword ptr fs:[00000030h]2_2_02FE80E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA0E3 mov ecx, dword ptr fs:[00000030h]2_2_02FDA0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A0115 mov eax, dword ptr fs:[00000030h]2_2_030A0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03010124 mov eax, dword ptr fs:[00000030h]2_2_03010124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov ecx, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov ecx, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov ecx, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov ecx, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70C0 mov eax, dword ptr fs:[00000030h]2_2_02FF70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074144 mov eax, dword ptr fs:[00000030h]2_2_03074144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074144 mov eax, dword ptr fs:[00000030h]2_2_03074144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074144 mov ecx, dword ptr fs:[00000030h]2_2_03074144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074144 mov eax, dword ptr fs:[00000030h]2_2_03074144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074144 mov eax, dword ptr fs:[00000030h]2_2_03074144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073140 mov eax, dword ptr fs:[00000030h]2_2_03073140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073140 mov eax, dword ptr fs:[00000030h]2_2_03073140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073140 mov eax, dword ptr fs:[00000030h]2_2_03073140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5152 mov eax, dword ptr fs:[00000030h]2_2_030B5152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03078158 mov eax, dword ptr fs:[00000030h]2_2_03078158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE5096 mov eax, dword ptr fs:[00000030h]2_2_02FE5096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD08D mov eax, dword ptr fs:[00000030h]2_2_02FDD08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE208A mov eax, dword ptr fs:[00000030h]2_2_02FE208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03079179 mov eax, dword ptr fs:[00000030h]2_2_03079179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309C188 mov eax, dword ptr fs:[00000030h]2_2_0309C188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309C188 mov eax, dword ptr fs:[00000030h]2_2_0309C188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03020185 mov eax, dword ptr fs:[00000030h]2_2_03020185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov ecx, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1070 mov eax, dword ptr fs:[00000030h]2_2_02FF1070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03037190 mov eax, dword ptr fs:[00000030h]2_2_03037190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306019F mov eax, dword ptr fs:[00000030h]2_2_0306019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306019F mov eax, dword ptr fs:[00000030h]2_2_0306019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306019F mov eax, dword ptr fs:[00000030h]2_2_0306019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306019F mov eax, dword ptr fs:[00000030h]2_2_0306019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030911A4 mov eax, dword ptr fs:[00000030h]2_2_030911A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030911A4 mov eax, dword ptr fs:[00000030h]2_2_030911A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030911A4 mov eax, dword ptr fs:[00000030h]2_2_030911A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030911A4 mov eax, dword ptr fs:[00000030h]2_2_030911A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2050 mov eax, dword ptr fs:[00000030h]2_2_02FE2050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B51CB mov eax, dword ptr fs:[00000030h]2_2_030B51CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A61C3 mov eax, dword ptr fs:[00000030h]2_2_030A61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A61C3 mov eax, dword ptr fs:[00000030h]2_2_030A61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301D1D0 mov eax, dword ptr fs:[00000030h]2_2_0301D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0301D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E1D0 mov eax, dword ptr fs:[00000030h]2_2_0305E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E1D0 mov eax, dword ptr fs:[00000030h]2_2_0305E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E1D0 mov ecx, dword ptr fs:[00000030h]2_2_0305E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E1D0 mov eax, dword ptr fs:[00000030h]2_2_0305E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E1D0 mov eax, dword ptr fs:[00000030h]2_2_0305E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA020 mov eax, dword ptr fs:[00000030h]2_2_02FDA020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDC020 mov eax, dword ptr fs:[00000030h]2_2_02FDC020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE016 mov eax, dword ptr fs:[00000030h]2_2_02FFE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE016 mov eax, dword ptr fs:[00000030h]2_2_02FFE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE016 mov eax, dword ptr fs:[00000030h]2_2_02FFE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE016 mov eax, dword ptr fs:[00000030h]2_2_02FFE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B61E5 mov eax, dword ptr fs:[00000030h]2_2_030B61E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030051EF mov eax, dword ptr fs:[00000030h]2_2_030051EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030871F9 mov esi, dword ptr fs:[00000030h]2_2_030871F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030101F8 mov eax, dword ptr fs:[00000030h]2_2_030101F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064000 mov ecx, dword ptr fs:[00000030h]2_2_03064000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE51ED mov eax, dword ptr fs:[00000030h]2_2_02FE51ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A903E mov eax, dword ptr fs:[00000030h]2_2_030A903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A903E mov eax, dword ptr fs:[00000030h]2_2_030A903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A903E mov eax, dword ptr fs:[00000030h]2_2_030A903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A903E mov eax, dword ptr fs:[00000030h]2_2_030A903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03076030 mov eax, dword ptr fs:[00000030h]2_2_03076030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFB1B0 mov eax, dword ptr fs:[00000030h]2_2_02FFB1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B052 mov eax, dword ptr fs:[00000030h]2_2_0300B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308705E mov ebx, dword ptr fs:[00000030h]2_2_0308705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308705E mov eax, dword ptr fs:[00000030h]2_2_0308705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066050 mov eax, dword ptr fs:[00000030h]2_2_03066050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306106E mov eax, dword ptr fs:[00000030h]2_2_0306106E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA197 mov eax, dword ptr fs:[00000030h]2_2_02FDA197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA197 mov eax, dword ptr fs:[00000030h]2_2_02FDA197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA197 mov eax, dword ptr fs:[00000030h]2_2_02FDA197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5060 mov eax, dword ptr fs:[00000030h]2_2_030B5060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300C073 mov eax, dword ptr fs:[00000030h]2_2_0300C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D070 mov ecx, dword ptr fs:[00000030h]2_2_0305D070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306D080 mov eax, dword ptr fs:[00000030h]2_2_0306D080
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306D080 mov eax, dword ptr fs:[00000030h]2_2_0306D080
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF172 mov eax, dword ptr fs:[00000030h]2_2_02FDF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300D090 mov eax, dword ptr fs:[00000030h]2_2_0300D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300D090 mov eax, dword ptr fs:[00000030h]2_2_0300D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301909C mov eax, dword ptr fs:[00000030h]2_2_0301909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE6154 mov eax, dword ptr fs:[00000030h]2_2_02FE6154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE6154 mov eax, dword ptr fs:[00000030h]2_2_02FE6154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDC156 mov eax, dword ptr fs:[00000030h]2_2_02FDC156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE7152 mov eax, dword ptr fs:[00000030h]2_2_02FE7152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030780A8 mov eax, dword ptr fs:[00000030h]2_2_030780A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A60B8 mov eax, dword ptr fs:[00000030h]2_2_030A60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A60B8 mov ecx, dword ptr fs:[00000030h]2_2_030A60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9148 mov eax, dword ptr fs:[00000030h]2_2_02FD9148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9148 mov eax, dword ptr fs:[00000030h]2_2_02FD9148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9148 mov eax, dword ptr fs:[00000030h]2_2_02FD9148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9148 mov eax, dword ptr fs:[00000030h]2_2_02FD9148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D0C0 mov eax, dword ptr fs:[00000030h]2_2_0305D0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D0C0 mov eax, dword ptr fs:[00000030h]2_2_0305D0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB136 mov eax, dword ptr fs:[00000030h]2_2_02FDB136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB136 mov eax, dword ptr fs:[00000030h]2_2_02FDB136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB136 mov eax, dword ptr fs:[00000030h]2_2_02FDB136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB136 mov eax, dword ptr fs:[00000030h]2_2_02FDB136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1131 mov eax, dword ptr fs:[00000030h]2_2_02FE1131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1131 mov eax, dword ptr fs:[00000030h]2_2_02FE1131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B50D9 mov eax, dword ptr fs:[00000030h]2_2_030B50D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030620DE mov eax, dword ptr fs:[00000030h]2_2_030620DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030090DB mov eax, dword ptr fs:[00000030h]2_2_030090DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030050E4 mov eax, dword ptr fs:[00000030h]2_2_030050E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030050E4 mov ecx, dword ptr fs:[00000030h]2_2_030050E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030660E0 mov eax, dword ptr fs:[00000030h]2_2_030660E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030220F0 mov ecx, dword ptr fs:[00000030h]2_2_030220F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301C700 mov eax, dword ptr fs:[00000030h]2_2_0301C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03010710 mov eax, dword ptr fs:[00000030h]2_2_03010710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301F71F mov eax, dword ptr fs:[00000030h]2_2_0301F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301F71F mov eax, dword ptr fs:[00000030h]2_2_0301F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301C720 mov eax, dword ptr fs:[00000030h]2_2_0301C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301C720 mov eax, dword ptr fs:[00000030h]2_2_0301C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A972B mov eax, dword ptr fs:[00000030h]2_2_030A972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309F72E mov eax, dword ptr fs:[00000030h]2_2_0309F72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C730 mov eax, dword ptr fs:[00000030h]2_2_0305C730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03015734 mov eax, dword ptr fs:[00000030h]2_2_03015734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BB73C mov eax, dword ptr fs:[00000030h]2_2_030BB73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BB73C mov eax, dword ptr fs:[00000030h]2_2_030BB73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BB73C mov eax, dword ptr fs:[00000030h]2_2_030BB73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BB73C mov eax, dword ptr fs:[00000030h]2_2_030BB73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301273C mov eax, dword ptr fs:[00000030h]2_2_0301273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301273C mov ecx, dword ptr fs:[00000030h]2_2_0301273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301273C mov eax, dword ptr fs:[00000030h]2_2_0301273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB6C0 mov eax, dword ptr fs:[00000030h]2_2_02FEB6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB6C0 mov eax, dword ptr fs:[00000030h]2_2_02FEB6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB6C0 mov eax, dword ptr fs:[00000030h]2_2_02FEB6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB6C0 mov eax, dword ptr fs:[00000030h]2_2_02FEB6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB6C0 mov eax, dword ptr fs:[00000030h]2_2_02FEB6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB6C0 mov eax, dword ptr fs:[00000030h]2_2_02FEB6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3749 mov eax, dword ptr fs:[00000030h]2_2_030B3749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301674D mov esi, dword ptr fs:[00000030h]2_2_0301674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301674D mov eax, dword ptr fs:[00000030h]2_2_0301674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301674D mov eax, dword ptr fs:[00000030h]2_2_0301674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD76B2 mov eax, dword ptr fs:[00000030h]2_2_02FD76B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD76B2 mov eax, dword ptr fs:[00000030h]2_2_02FD76B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD76B2 mov eax, dword ptr fs:[00000030h]2_2_02FD76B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022750 mov eax, dword ptr fs:[00000030h]2_2_03022750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022750 mov eax, dword ptr fs:[00000030h]2_2_03022750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064755 mov eax, dword ptr fs:[00000030h]2_2_03064755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD6AA mov eax, dword ptr fs:[00000030h]2_2_02FDD6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD6AA mov eax, dword ptr fs:[00000030h]2_2_02FDD6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E75D mov eax, dword ptr fs:[00000030h]2_2_0306E75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4690 mov eax, dword ptr fs:[00000030h]2_2_02FE4690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4690 mov eax, dword ptr fs:[00000030h]2_2_02FE4690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0309F78A mov eax, dword ptr fs:[00000030h]2_2_0309F78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F7AF mov eax, dword ptr fs:[00000030h]2_2_0306F7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F7AF mov eax, dword ptr fs:[00000030h]2_2_0306F7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F7AF mov eax, dword ptr fs:[00000030h]2_2_0306F7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F7AF mov eax, dword ptr fs:[00000030h]2_2_0306F7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F7AF mov eax, dword ptr fs:[00000030h]2_2_0306F7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030697A9 mov eax, dword ptr fs:[00000030h]2_2_030697A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300D7B0 mov eax, dword ptr fs:[00000030h]2_2_0300D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B37B6 mov eax, dword ptr fs:[00000030h]2_2_030B37B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFC640 mov eax, dword ptr fs:[00000030h]2_2_02FFC640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030607C3 mov eax, dword ptr fs:[00000030h]2_2_030607C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE262C mov eax, dword ptr fs:[00000030h]2_2_02FE262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFE627 mov eax, dword ptr fs:[00000030h]2_2_02FFE627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF626 mov eax, dword ptr fs:[00000030h]2_2_02FDF626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E7E1 mov eax, dword ptr fs:[00000030h]2_2_0306E7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE3616 mov eax, dword ptr fs:[00000030h]2_2_02FE3616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE3616 mov eax, dword ptr fs:[00000030h]2_2_02FE3616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027ED mov eax, dword ptr fs:[00000030h]2_2_030027ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027ED mov eax, dword ptr fs:[00000030h]2_2_030027ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027ED mov eax, dword ptr fs:[00000030h]2_2_030027ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF260B mov eax, dword ptr fs:[00000030h]2_2_02FF260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301F603 mov eax, dword ptr fs:[00000030h]2_2_0301F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47FB mov eax, dword ptr fs:[00000030h]2_2_02FE47FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47FB mov eax, dword ptr fs:[00000030h]2_2_02FE47FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03011607 mov eax, dword ptr fs:[00000030h]2_2_03011607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E609 mov eax, dword ptr fs:[00000030h]2_2_0305E609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03022619 mov eax, dword ptr fs:[00000030h]2_2_03022619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FED7E0 mov ecx, dword ptr fs:[00000030h]2_2_02FED7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03016620 mov eax, dword ptr fs:[00000030h]2_2_03016620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03018620 mov eax, dword ptr fs:[00000030h]2_2_03018620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5636 mov eax, dword ptr fs:[00000030h]2_2_030B5636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC7C0 mov eax, dword ptr fs:[00000030h]2_2_02FEC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE57C0 mov eax, dword ptr fs:[00000030h]2_2_02FE57C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE57C0 mov eax, dword ptr fs:[00000030h]2_2_02FE57C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE57C0 mov eax, dword ptr fs:[00000030h]2_2_02FE57C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDF7BA mov eax, dword ptr fs:[00000030h]2_2_02FDF7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE07AF mov eax, dword ptr fs:[00000030h]2_2_02FE07AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A660 mov eax, dword ptr fs:[00000030h]2_2_0301A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A660 mov eax, dword ptr fs:[00000030h]2_2_0301A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03019660 mov eax, dword ptr fs:[00000030h]2_2_03019660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03019660 mov eax, dword ptr fs:[00000030h]2_2_03019660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A866E mov eax, dword ptr fs:[00000030h]2_2_030A866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A866E mov eax, dword ptr fs:[00000030h]2_2_030A866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03012674 mov eax, dword ptr fs:[00000030h]2_2_03012674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306368C mov eax, dword ptr fs:[00000030h]2_2_0306368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306368C mov eax, dword ptr fs:[00000030h]2_2_0306368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306368C mov eax, dword ptr fs:[00000030h]2_2_0306368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306368C mov eax, dword ptr fs:[00000030h]2_2_0306368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE8770 mov eax, dword ptr fs:[00000030h]2_2_02FE8770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0770 mov eax, dword ptr fs:[00000030h]2_2_02FF0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB765 mov eax, dword ptr fs:[00000030h]2_2_02FDB765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB765 mov eax, dword ptr fs:[00000030h]2_2_02FDB765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB765 mov eax, dword ptr fs:[00000030h]2_2_02FDB765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDB765 mov eax, dword ptr fs:[00000030h]2_2_02FDB765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301C6A6 mov eax, dword ptr fs:[00000030h]2_2_0301C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0750 mov eax, dword ptr fs:[00000030h]2_2_02FE0750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030166B0 mov eax, dword ptr fs:[00000030h]2_2_030166B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF3740 mov eax, dword ptr fs:[00000030h]2_2_02FF3740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF3740 mov eax, dword ptr fs:[00000030h]2_2_02FF3740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF3740 mov eax, dword ptr fs:[00000030h]2_2_02FF3740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE973A mov eax, dword ptr fs:[00000030h]2_2_02FE973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE973A mov eax, dword ptr fs:[00000030h]2_2_02FE973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0301A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0301A6C7 mov eax, dword ptr fs:[00000030h]2_2_0301A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A16CC mov eax, dword ptr fs:[00000030h]2_2_030A16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A16CC mov eax, dword ptr fs:[00000030h]2_2_030A16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A16CC mov eax, dword ptr fs:[00000030h]2_2_030A16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030A16CC mov eax, dword ptr fs:[00000030h]2_2_030A16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9730 mov eax, dword ptr fs:[00000030h]2_2_02FD9730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD9730 mov eax, dword ptr fs:[00000030h]2_2_02FD9730

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 302008Jump to behavior
          Source: C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe"Jump to behavior
          Source: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS11
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe42%ReversingLabsWin32.Trojan.Cerbu
          SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1501382
          Start date and time:2024-08-29 20:36:16 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 20s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 10
          • Number of non-executed functions: 322
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • VT rate limit hit for: SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          14:37:26API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\adstipulator

          Download File
          Process:C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          File Type:ASCII text, with very long lines (65536), with no line terminators
          Category:dropped
          Size (bytes):86022
          Entropy (8bit):4.17931900778968
          Encrypted:false
          SSDEEP:1536:P7tPs2CDeyG/yffgWiiFZvxgZPYr4vLkf8h1ETOkgX6x:P5hCDlffLSZPYwLNSgA
          MD5:004DDDEFA40084E2A91868FCA3360C63
          SHA1:0395BFBDF50327EF586414E602C4D30775FC9297
          SHA-256:957C792204B71FE12B9E822500CADF5B60E703F1A45EA076D8398B08C51B0633
          SHA-512:EF6EF652E45D4B0F9A8CF16956DE33E2D68BDC24DFE79C78D8007D8C3E02C5BC578B53152A6C432CB9534E66311CF9E1AA236F29D2E651FDBE8AE01B389EEA99
          Malicious:false
          Reputation:low
          Preview:30Y78V35L35H38Y62F65I63B38S31I65D63G63S63W30A32J30D30N30G30F35M36I35D37H62U38P36B62Q30J30A30J30D30I30Z36O36J38N39G34R35J38Y34F62W39A36I35W30Z30E30S30Q30I30E36R36E38R39H34H64S38I36N62I61V37W32N30J30G30Q30D30Q30W36O36C38X39W35X35S38C38G62I38K36J65R30J30J30H30Q30C30S36G36W38S39W34C35X38M61K62D39V36G35P30A30S30L30Z30Y30M36M36L38B39A34I64O38J63X62V61G36Z63C30B30Y30W30I30D30P36S36K38D39I35Z35K38G65Q62Q38L33X33P30N30J30L30W30H30K36D36B38B39V34B35S39O30V62Z39U33V32I30X30M30U30K30M30Q36L36A38D39N34K64R39I32A62O61E32H65L30O30Q30Z30H30X30W36Y36E38J39A35B35D39F34J62W38T36Z34T30C30S30T30E30D30D36F36Y38Q39C34Z35U39X36A62M39H36W63R30U30X30J30A30F30D36W36I38Z39H34T64F39B38B62R61K36I63P30G30V30K30J30P30K36W36D38M39C35R35T39A61P33E33O63X30H36I36U38G39H34Z35R39L63R62R39Q36E65M30L30E30W30C30B30M36S36V38P39Q38M64H34P34Y66Y66J66N66K66M66U62H61A37E34F30A30O30Y30E30N30Z36U36J38I39B39B35H34Y36A66K66D66K66B66R66J62E38N36G34Q30B30R30O30V30V30J36A36T38X39M38D35O34S38K66O66A66D66G66J66G62C39H36V63K30V30T30J30P30R3

          C:\Users\user\AppData\Local\Temp\aut6786.tmp

          Download File
          Process:C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          File Type:data
          Category:dropped
          Size (bytes):287744
          Entropy (8bit):7.993387372232108
          Encrypted:true
          SSDEEP:6144:zK23KmyrlIXiYMLdXqOpeRtibS0/pbojFdEJCgLQPEt7:zK0WrlVEO4RtYbojGCgLQe7
          MD5:841EF9157065011AD173B12BEF794B9C
          SHA1:61FE697F45B84ED5F2DFB08EC09573EE3A11DBE6
          SHA-256:E5A1E99289102F7F95FE0E3F63C3991D8E0D1543AE274F6D9E419995BF716495
          SHA-512:E0B333303F21DE813E8CA91B074DBB349E1CBD6FB3259132ACAFFE8002DFD2F43F130A0B59DC26CA044083BEA627AF7892613B93718D5CA87A7B55ADAFDA9071
          Malicious:false
          Reputation:low
          Preview:u....CWI7..E....n.JT...S[...5A8RRJWCWI7PSRL65A8RRJWCWI7PSR.65A6M.DW.^...R...a)Q!r:%,0;V=s1-X[.Lr0/w1"'.9=r.yfaU=6/yNZC.PSRL65AAS[.j#0..04.qVR."...m#0.-...pVR."...k#0.e90:qVR.8RRJWCWIg.SR.74A..i.WCWI7PSR.67@3SYJW.SI7PSRL65A.ARJWSWI7 WRL6uA8BRJWAWI1PSRL65A>RRJWCWI7 WRL45A8RRJUC..7PCRL&5A8RBJWSWI7PSR\65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A.&72#CWI3.WRL&5A8.VJWSWI7PSRL65A8RRJwCW)7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI

          C:\Users\user\AppData\Local\Temp\aut67B6.tmp

          Download File
          Process:C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          File Type:data
          Category:dropped
          Size (bytes):43576
          Entropy (8bit):7.822723027210347
          Encrypted:false
          SSDEEP:768:aSKHlAdU/DbAxNpVe/eG7gL60/hPdqZ2wOJ9oSUrTzSTOYhvQX3vA0QNjOw:aflAd9xXc2Gj0/Zk2wOtwSjhvQXGN6w
          MD5:0F0C4B38E5240E8542F9403DED99EBA4
          SHA1:AE852E507AAD18D3ADDA3C2C925622EC3C97AAB7
          SHA-256:FC70C4B9305676EB0281970F08535B469C4B119872EE98FB1D9C10F49D509415
          SHA-512:CB43D26CF3088ECFDB170C047EE4BDA5F803E37C810BD6C606E59905953E3D0087EC3010A9ABB34461DDD3EA0F87436137085DE74E5710CAB6F97CBBE250B4D1
          Malicious:false
          Reputation:low
          Preview:EA06..P...+3y.Zg5.L...6.Q..ZL.gB..*s9.&m5.M.ty..6...s...eJ..(.9.:g0....i..3.RfsZ$.oH.L..9.Bg6.M.U........@..&g0.L.....3.S.s.<.iR..@....iF.L..9.....`+S9..g0......j.3.T.sj,.qR..i.9."m4.......6.Rf....oW..........Up..3.V&s...kX..@.....lL....rm5...@.e ...:.j<.mW..@......Sf..\.eD..j.......O.....3.....e2g8..c3JL.iO..)Si.bm2.M. .%jm3.](@..\.V...I...3..-..%jg5..(.i.D..S&s:..gP.e.@..\....(.+..eV..(@...3.U..*..sU....0..aX..f.P...%..O.j..eN..)s`....Pf.*|.cE...`..aO...@.5`.....T...j.....i...`.*....iT.8...m.l......Tfs...h..Ufs....6.S@p..^m3..NU."-Q......l...UI..3..s.i.H....&.!...V...J..t.lQ.i....D...*..3..fs:x.....+.`)r....H...0...Z&s....6...X.(.,.U.h..V..@.. Bh.xT&sJ..l..R..O..6.Sf.j......fsz(.P..S.zj(....U@.*H.z.....@.b...Q.....mR.Tf@-e8...T@!*..]V...@7....S@r..>f........r..Q.&`."...U..:X..T./...G.H.....sJ...9..m1.M....Nm6......Rl.>L@N...S....ud....(.9........f.Rl........j.&U@7......j&.=...HU....@...@-...b.a*.i...H...@.uFm6...@N...U. .`AP.^..1F.@.....j.BS@W. ..T.Q..J

          C:\Users\user\AppData\Local\Temp\reaffection

          Download File
          Process:C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          File Type:data
          Category:dropped
          Size (bytes):287744
          Entropy (8bit):7.993387372232108
          Encrypted:true
          SSDEEP:6144:zK23KmyrlIXiYMLdXqOpeRtibS0/pbojFdEJCgLQPEt7:zK0WrlVEO4RtYbojGCgLQe7
          MD5:841EF9157065011AD173B12BEF794B9C
          SHA1:61FE697F45B84ED5F2DFB08EC09573EE3A11DBE6
          SHA-256:E5A1E99289102F7F95FE0E3F63C3991D8E0D1543AE274F6D9E419995BF716495
          SHA-512:E0B333303F21DE813E8CA91B074DBB349E1CBD6FB3259132ACAFFE8002DFD2F43F130A0B59DC26CA044083BEA627AF7892613B93718D5CA87A7B55ADAFDA9071
          Malicious:false
          Reputation:low
          Preview:u....CWI7..E....n.JT...S[...5A8RRJWCWI7PSRL65A8RRJWCWI7PSR.65A6M.DW.^...R...a)Q!r:%,0;V=s1-X[.Lr0/w1"'.9=r.yfaU=6/yNZC.PSRL65AAS[.j#0..04.qVR."...m#0.-...pVR."...k#0.e90:qVR.8RRJWCWIg.SR.74A..i.WCWI7PSR.67@3SYJW.SI7PSRL65A.ARJWSWI7 WRL6uA8BRJWAWI1PSRL65A>RRJWCWI7 WRL45A8RRJUC..7PCRL&5A8RBJWSWI7PSR\65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A.&72#CWI3.WRL&5A8.VJWSWI7PSRL65A8RRJwCW)7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI7PSRL65A8RRJWCWI

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.110436396062621
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          File size:1'305'088 bytes
          MD5:a53393a2f0eb90d65e0bfe5c98e04096
          SHA1:88c415fa91b3e6a30c7420f364e2ebba70a29aec
          SHA256:364bdfd38cbaf67b35e1ec8f1618ec4a9c3bc932bce5ad370edbf95c0115670a
          SHA512:30587b17f1e7276e61ac11bba60b743efe89a84d98cb0b61cc2cff5950e6cdfb3c0fd6d4ecaebab12d0d764a09891c2e436e985e84790b0530241e057fa1035e
          SSDEEP:24576:UqDEvCTbMWu7rQYlBQcBiT6rprG8a+FrnFH8QxVrv7XC4Bn:UTvC/MTQYxsWR7a+Frndrfr7t
          TLSH:A155AF0273C19072FE9791320B56E6115ABCAD260123F63F2F582979BD70DA3563E7E2
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:4ba1e6e4e4e2e52b

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66CEFC96 [Wed Aug 28 10:31:50 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007F5DDC6C8B53h
          jmp 00007F5DDC6C845Fh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F5DDC6C863Dh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F5DDC6C860Ah
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007F5DDC6CB1FDh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007F5DDC6CB248h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007F5DDC6CB231h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x67ef0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x13c0000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000x67ef00x680001d8824f0a42703e7ce4ac5cf1baaa52bFalse0.8414470966045673data7.723056319053085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x13c0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd44580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xd45800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xd46a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd47d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5669 x 5669 px/mEnglishGreat Britain0.12238258606411925
          RT_MENU0xe4ff80x50dataEnglishGreat Britain0.9
          RT_STRING0xe50480x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xe55dc0x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xe5c680x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xe60f80x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xe66f40x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xe6d500x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xe71b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xe73100x54694data1.0003355044714648
          RT_GROUP_ICON0x13b9a40x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x13b9b80x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x13b9cc0x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x13b9e00x14dataEnglishGreat Britain1.25
          RT_VERSION0x13b9f40x10cdataEnglishGreat Britain0.5970149253731343
          RT_MANIFEST0x13bb000x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:14:37:02
          Start date:29/08/2024
          Path:C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe"
          Imagebase:0xdc0000
          File size:1'305'088 bytes
          MD5 hash:A53393A2F0EB90D65E0BFE5C98E04096
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:14:37:18
          Start date:29/08/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SCANNED_DOCUMENT__AUG_18_2024_REVISED.exe"
          Imagebase:0xfa0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2261534620.0000000000520000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.9%
            Dynamic/Decrypted Code Coverage:5.8%
            Signature Coverage:9.7%
            Total number of Nodes:103
            Total number of Limit Nodes:9
            execution_graph 82564 4019c0 82565 4019c8 82564->82565 82568 42fcc3 82565->82568 82566 401aa7 82566->82566 82571 42e1e3 82568->82571 82572 42e209 82571->82572 82581 4074b3 82572->82581 82574 42e21f 82580 42e27b 82574->82580 82584 41b193 82574->82584 82576 42e23e 82577 42e253 82576->82577 82578 42c983 ExitProcess 82576->82578 82595 42c983 82577->82595 82578->82577 82580->82566 82583 4074c0 82581->82583 82598 416543 82581->82598 82583->82574 82585 41b1bf 82584->82585 82622 41b083 82585->82622 82588 41b204 82592 42c5e3 NtClose 82588->82592 82593 41b220 82588->82593 82589 41b1ec 82590 41b1f7 82589->82590 82628 42c5e3 82589->82628 82590->82576 82594 41b216 82592->82594 82593->82576 82594->82576 82596 42c9a0 82595->82596 82597 42c9b1 ExitProcess 82596->82597 82597->82580 82599 41655d 82598->82599 82601 416573 82599->82601 82602 42d013 82599->82602 82601->82583 82604 42d02d 82602->82604 82603 42d05c 82603->82601 82604->82603 82609 42bc93 82604->82609 82610 42bcb0 82609->82610 82616 3022c0a 82610->82616 82611 42bcd9 82613 42e633 82611->82613 82619 42c943 82613->82619 82615 42d0cf 82615->82601 82617 3022c11 82616->82617 82618 3022c1f LdrInitializeThunk 82616->82618 82617->82611 82618->82611 82620 42c95d 82619->82620 82621 42c96b RtlFreeHeap 82620->82621 82621->82615 82623 41b179 82622->82623 82624 41b09d 82622->82624 82623->82588 82623->82589 82631 42bd23 82624->82631 82627 42c5e3 NtClose 82627->82623 82629 42c5fd 82628->82629 82630 42c60b NtClose 82629->82630 82630->82590 82632 42bd3d 82631->82632 82635 30235c0 LdrInitializeThunk 82632->82635 82633 41b16d 82633->82627 82635->82633 82636 42bc43 82637 42bc5d 82636->82637 82640 3022df0 LdrInitializeThunk 82637->82640 82638 42bc82 82640->82638 82641 424da3 82645 424dbc 82641->82645 82642 424e07 82643 42e633 RtlFreeHeap 82642->82643 82644 424e14 82643->82644 82645->82642 82646 424e44 82645->82646 82648 424e49 82645->82648 82647 42e633 RtlFreeHeap 82646->82647 82647->82648 82654 42f853 82655 42e633 RtlFreeHeap 82654->82655 82656 42f868 82655->82656 82657 424a13 82658 424a2f 82657->82658 82659 424a57 82658->82659 82660 424a6b 82658->82660 82661 42c5e3 NtClose 82659->82661 82662 42c5e3 NtClose 82660->82662 82663 424a60 82661->82663 82664 424a74 82662->82664 82667 42e753 RtlAllocateHeap 82664->82667 82666 424a7f 82667->82666 82668 42e713 82671 42c8f3 82668->82671 82670 42e72e 82672 42c910 82671->82672 82673 42c91e RtlAllocateHeap 82672->82673 82673->82670 82649 417883 82650 4178a7 82649->82650 82651 4178e3 LdrLoadDll 82650->82651 82652 4178ae 82650->82652 82651->82652 82653 3022b60 LdrInitializeThunk 82674 413d93 82675 413db3 82674->82675 82677 413e1c 82675->82677 82679 41b4a3 RtlFreeHeap LdrInitializeThunk 82675->82679 82678 413e12 82679->82678 82680 4245b4 82683 4245d5 82680->82683 82681 4245f3 82684 42c5e3 NtClose 82681->82684 82682 424608 82685 42c5e3 NtClose 82682->82685 82683->82681 82683->82682 82686 4245fc 82684->82686 82688 424611 82685->82688 82687 424648 82688->82687 82689 42e633 RtlFreeHeap 82688->82689 82690 42463c 82689->82690

            Executed Functions

            Function 00417883 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 64 417883-41789f 65 4178a7-4178ac 64->65 66 4178a2 call 42f333 64->66 67 4178b2-4178c0 call 42f933 65->67 68 4178ae-4178b1 65->68 66->65 71 4178d0-4178e1 call 42dcb3 67->71 72 4178c2-4178cd call 42fbd3 67->72 77 4178e3-4178f7 LdrLoadDll 71->77 78 4178fa-4178fd 71->78 72->71 77->78
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: a8e512367c5970180f479a0a997a77d00fa78f374ca698d2398436c79bc6bbbb
            • Instruction ID: 89226e52e13df720c1f0b2ada5c30b0553ee3ed92097be9ffcb7e527a97ee20b
            • Opcode Fuzzy Hash: a8e512367c5970180f479a0a997a77d00fa78f374ca698d2398436c79bc6bbbb
            • Instruction Fuzzy Hash: 5A015EB5E0020DABDB10EBA5DC42FDEB3789B54308F4081AAE90897241F634EB49CB95
            Function 0042C5E3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 89 42c5e3-42c619 call 4048b3 call 42d7e3 NtClose
            APIs
            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C614
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 04b39f2ec9435c79309ad888eaf066097600a74279399dbaa31f369693005373
            • Instruction ID: a03ac3d8db4861db2839c8d150fc1e3115924df279dbd77117a667db6e7ec006
            • Opcode Fuzzy Hash: 04b39f2ec9435c79309ad888eaf066097600a74279399dbaa31f369693005373
            • Instruction Fuzzy Hash: 94E04F362102547BD110FA5ADC01F9BB75CDFC5714F014529FA0867241C6B4B90087E4
            Function 030235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 105 30235c0-30235cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: fc9fb80cdefd403381afd5d312c2587bea6353664784a5ddfffaabf64af5ffe4
            • Instruction ID: 574b5f4470934903b0ee043e45e0ab60613d370e32faae80786205c68c54421f
            • Opcode Fuzzy Hash: fc9fb80cdefd403381afd5d312c2587bea6353664784a5ddfffaabf64af5ffe4
            • Instruction Fuzzy Hash: 7F90023160690802E100B1588514706105987D1201F65C451B0428568D87958A5575A2
            Function 03022B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 103 3022b60-3022b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 7e30a93c7a8332210ef2c15d9d82d1b2f26b7beee72541eaad5d46d909ba29c1
            • Instruction ID: 024e8c8aad868e519211465ea67f468ce821de3d927d0f4df5aee89b7b53aab8
            • Opcode Fuzzy Hash: 7e30a93c7a8332210ef2c15d9d82d1b2f26b7beee72541eaad5d46d909ba29c1
            • Instruction Fuzzy Hash: C2900261203804035105B1588414616405E87E1201B55C061F1018590DC62589957125
            Function 03022DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 104 3022df0-3022dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 12916c2c462bf46cf19f95c47b0fb3b712574ea4b600b558db2e3ed2bfe94007
            • Instruction ID: f12b3ede8e1a04189d100b16fce6d31c0eb0eb9f8deb2098073aacebb5533ac3
            • Opcode Fuzzy Hash: 12916c2c462bf46cf19f95c47b0fb3b712574ea4b600b558db2e3ed2bfe94007
            • Instruction Fuzzy Hash: C190023120280813E111B1588504707005D87D1241F95C452B0428558D97568A56B121
            Function 0040195C Relevance: 1.4, Strings: 1, Instructions: 134COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 106 40195c-40197d 107 4019e8-4019ee 106->107 108 40197f-4019bc 106->108 110 4019f3-4019fc 107->110 110->110 111 4019fe 110->111 112 401a03-401a14 111->112 112->112 113 401a16-401a2e call 4010c0 112->113 116 401a30-401a45 113->116 116->116 117 401a47-401a7e call 401c00 call 401000 116->117 122 401a80-401a98 117->122 123 401a9a 122->123 124 401a9d-401aa3 122->124 123->124 124->122 125 401aa5 call 42fcc3 124->125 126 401aa7-401aac 125->126 127 401ab0-401ac3 126->127 127->127 128 401ac5-401acf 127->128 129 401ad4-401ada 128->129 129->129 130 401adc 129->130 131 401ae0-401af5 130->131 131->131 132 401af7-401aff 131->132
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff
            • API String ID: 0-1553575800
            • Opcode ID: 74b40b79c7243dca647cf0f6009bdb1e9ccabe186f91a3b3b3557de7f1256c4c
            • Instruction ID: f6ab3b2e6902246e22a81c93fde2c39471ae9df38e32fa8143d0d99c0ba7af76
            • Opcode Fuzzy Hash: 74b40b79c7243dca647cf0f6009bdb1e9ccabe186f91a3b3b3557de7f1256c4c
            • Instruction Fuzzy Hash: A4412772B001094BCF188A69DC522EABB69EB95305F0841BAE845EF6E1E5349D55CFC1
            Function 0042C8F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 79 42c8f3-42c934 call 4048b3 call 42d7e3 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0041E63B,?,?,00000000,?,0041E63B,?,?,?), ref: 0042C92F
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: f6da11ce7dc21885c0d1a64120335966a49f5e76ce4ce8a5fa2bba32730fd009
            • Instruction ID: a9d6303b02f6cfaf5c3a241aae29fc2f8941b1fbed7d6c158132cd8e9f1c9cee
            • Opcode Fuzzy Hash: f6da11ce7dc21885c0d1a64120335966a49f5e76ce4ce8a5fa2bba32730fd009
            • Instruction Fuzzy Hash: 58E06D76604214BBD610EE49DC41E9B73ACEFC8714F004419FA08A7241D670B910C6B4
            Function 0042C943 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 84 42c943-42c981 call 4048b3 call 42d7e3 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5A8C0F10,00000007,00000000,00000004,00000000,00417102,000000F4), ref: 0042C97C
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 33deba49b71c9cc9e0d2ed3a6f502b2a2cdb57edd6a4f111ae2f39c7d484abb3
            • Instruction ID: bcbdb5875f2d9f1ef31f57e514cf1933b1c64fc16a712f2ec7da3e8cdc9fa043
            • Opcode Fuzzy Hash: 33deba49b71c9cc9e0d2ed3a6f502b2a2cdb57edd6a4f111ae2f39c7d484abb3
            • Instruction Fuzzy Hash: 14E0EDB6604214BFD614EE59DC42F9B77ACEFC5714F004419F908AB241D675B910CAB8
            Function 0042C983 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 94 42c983-42c9bf call 4048b3 call 42d7e3 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 23f2ebb35b6bbbe46bf8937918d49098543b9ec31734f9a0a6492d3a21c7414b
            • Instruction ID: 86f4ce7ba6c1aaf1448ccdb453c10666cff4304299e47d80cd89a717efaaa53e
            • Opcode Fuzzy Hash: 23f2ebb35b6bbbe46bf8937918d49098543b9ec31734f9a0a6492d3a21c7414b
            • Instruction Fuzzy Hash: 93E04F362402147BD610BA5ADC01F97779CDBC5714F50841AFA4867241CA74790487E4
            Function 03022C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 99 3022c0a-3022c0f 100 3022c11-3022c18 99->100 101 3022c1f-3022c26 LdrInitializeThunk 99->101
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 7cb2ded272928ce2034a7a69d155519340505ab0d6479e82444e303be38e2d74
            • Instruction ID: 38f7cfb229ad54644fe3ccd893dd09929f8f2cda5554e5cd8595bb10683844ee
            • Opcode Fuzzy Hash: 7cb2ded272928ce2034a7a69d155519340505ab0d6479e82444e303be38e2d74
            • Instruction Fuzzy Hash: 18B09B719039D5C5EA51E76046087177D5867D1701F29C4A1E2074641F4739C1D5F275

            Non-executed Functions

            Function 03062349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: 0ba7cc0e0cddd1ecf26e407b0411c518c94fc1ea159b151d1ce9097fbeafb171
            • Instruction ID: a4b38bc36bf39efc2476f7c62046fed74ec59ba3ac86e62433f391913422cbd7
            • Opcode Fuzzy Hash: 0ba7cc0e0cddd1ecf26e407b0411c518c94fc1ea159b151d1ce9097fbeafb171
            • Instruction Fuzzy Hash: 82927B75606342ABE721DE24C880B6BB7EDBB84750F084C2DFA95DB294D770E844CB92
            Function 02FD68B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: e4181c9607e2bd547ebae5a610778eb9db23ef21b7f58c6a2832f325d6596872
            • Instruction ID: c99b14c86dc96140d734099893a79a353633f692c4a7fcd56c09e574cb8c5fec
            • Opcode Fuzzy Hash: e4181c9607e2bd547ebae5a610778eb9db23ef21b7f58c6a2832f325d6596872
            • Instruction Fuzzy Hash: 08811FB2D03219AB9B11FBA8EDD4EEEB7FEAB056507144422BE01F7114E735DD148BA0
            Function 03018620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
            Download Yara Rule
            Strings
            • 8, xrefs: 030552E3
            • corrupted critical section, xrefs: 030554C2
            • Critical section address., xrefs: 03055502
            • Thread identifier, xrefs: 0305553A
            • Thread is in a state in which it cannot own a critical section, xrefs: 03055543
            • double initialized or corrupted critical section, xrefs: 03055508
            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 030554E2
            • Invalid debug info address of this critical section, xrefs: 030554B6
            • Address of the debug info found in the active list., xrefs: 030554AE, 030554FA
            • undeleted critical section in freed memory, xrefs: 0305542B
            • Critical section debug info address, xrefs: 0305541F, 0305552E
            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0305540A, 03055496, 03055519
            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 030554CE
            • Critical section address, xrefs: 03055425, 030554BC, 03055534
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
            • API String ID: 0-2368682639
            • Opcode ID: 0babd3d38b7238b979d2f97f8ebff417351de3dd6635c60fc25f98592dd0cb5a
            • Instruction ID: 42c426a1b6be09ca480fb34288cb6e9456c377cb49c1ccbf5750178c01bf35da
            • Opcode Fuzzy Hash: 0babd3d38b7238b979d2f97f8ebff417351de3dd6635c60fc25f98592dd0cb5a
            • Instruction Fuzzy Hash: 4D81CCB0A02349AFEB21CF94CD40BAEBBF9BB49740F244119FA06B7640D3B5A940CB50
            Function 03010F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: c25b2dc073cd7c729dbb0e1b62ab84e0e7ef05d324e28af04aaa5475959c066f
            • Instruction ID: 8c658c21e0d16d79ec79c2c6c52bbfb020a7be98b33c157bf8e818d9b0a7ab68
            • Opcode Fuzzy Hash: c25b2dc073cd7c729dbb0e1b62ab84e0e7ef05d324e28af04aaa5475959c066f
            • Instruction Fuzzy Hash: ED62A3B5E022299FDF78CF18C8407AAB7F6AF85310F5941D9E949AB240D7725AE1CF40
            Function 030912ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: cf77670a6e0be6cde422deab28d9157a1e38d67a51e51334912e36939930f357
            • Instruction ID: 34c1646b95344fb5a2da0fe02f6624752e1fff7d67444ac84f686495b55e9d79
            • Opcode Fuzzy Hash: cf77670a6e0be6cde422deab28d9157a1e38d67a51e51334912e36939930f357
            • Instruction Fuzzy Hash: D412B030706642DFEB29CF28C451BBAF7F6EF09754F19849AE5868B641D734E840EB50
            Function 02FFAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: 9750888915f4f70bfa33083e1239f6597b08e369bce79c0448c004df4eb089eb
            • Instruction ID: 5e724cab8632bfdfc56dae14620677f2e2c1f5b961b5548494f42d89009f72f0
            • Opcode Fuzzy Hash: 9750888915f4f70bfa33083e1239f6597b08e369bce79c0448c004df4eb089eb
            • Instruction Fuzzy Hash: 39120772A0A3418FD364DF14C840BAAB7E5BF84788F05496DFB899B2A0E735D944CB52
            Function 02FDD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: cbde2a1e0eda6040397ca8098f7d068449240484de7602fb30c81b75eead6108
            • Instruction ID: dc51723c73edf0aab619495622753acc2fd10fb14d68689cc67361cb6438f256
            • Opcode Fuzzy Hash: cbde2a1e0eda6040397ca8098f7d068449240484de7602fb30c81b75eead6108
            • Instruction Fuzzy Hash: D2B1AE76A093519FC721DF28C840B6BBBE9AF85794F09492EFA89D7240D730D944CF92
            Function 03090CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: 9f91fa0fba3247c533020cc64df877fbac7717f1b1e296a993b6c18e11f34986
            • Instruction ID: 256a9a81b9d2a6b6052e7457c387018d95d341dd4e79e90b57fd5e3cd8d6baca
            • Opcode Fuzzy Hash: 9f91fa0fba3247c533020cc64df877fbac7717f1b1e296a993b6c18e11f34986
            • Instruction Fuzzy Hash: D5F13331A02286EFEF25CF68C450BAAF7F6FF09344F09845AE6828B641C774A945DF51
            Function 03079179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
            • API String ID: 0-3063724069
            • Opcode ID: 5775151af386eee01844949c431cb30d1f0815430a34239277ed3a520ef4a6f5
            • Instruction ID: bd1233630dea3abf1775b247029374d67d2706b118f74f0535c4ff5af9f481af
            • Opcode Fuzzy Hash: 5775151af386eee01844949c431cb30d1f0815430a34239277ed3a520ef4a6f5
            • Instruction Fuzzy Hash: E0D1F2B2C0A355AFD731DA54C880BAFF7ECAF84754F040A29FA84AB150D770D9448BDA
            Function 03090274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: 1d4c661ac3d52d153476442eade77ad9db30c98ad05437728ebf7ee44317bf49
            • Instruction ID: 0a55fbd4d4cc4758504c4ede24865db59fc3ed14b56fbedba9787ac8017187c7
            • Opcode Fuzzy Hash: 1d4c661ac3d52d153476442eade77ad9db30c98ad05437728ebf7ee44317bf49
            • Instruction Fuzzy Hash: 1FD1EE35A02285DFEF12EF68C850AAEFBF2FF49754F08805AE9469B651C734D980DB11
            Function 02FDD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02FDD262
            • @, xrefs: 02FDD313
            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02FDD0CF
            • @, xrefs: 02FDD0FD
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02FDD2C3
            • Control Panel\Desktop\LanguageConfiguration, xrefs: 02FDD196
            • @, xrefs: 02FDD2AF
            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02FDD146
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
            • API String ID: 0-1356375266
            • Opcode ID: dd03ce8f4a2979fc6fdf27a85a420f0f3ac40091d5becfd637fc7904dc6a57a4
            • Instruction ID: 3ea6c268da7034878a81ea7fdb136b269e346ccbc547e096632866e9724cc298
            • Opcode Fuzzy Hash: dd03ce8f4a2979fc6fdf27a85a420f0f3ac40091d5becfd637fc7904dc6a57a4
            • Instruction Fuzzy Hash: A2A18E729093559FE721DF24C880BABBBE9FF88755F04492EF68896240D774D908CF52
            Function 02FEADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
            • API String ID: 0-664215390
            • Opcode ID: 2904a9d4100657005b4578e5e42498170aff72e17faf18d028616ed6e4a8524d
            • Instruction ID: 6546816ad176411eff5aef56d78045bf3cf5b096c6d62c63663110c8a03dfb3c
            • Opcode Fuzzy Hash: 2904a9d4100657005b4578e5e42498170aff72e17faf18d028616ed6e4a8524d
            • Instruction Fuzzy Hash: 0C328D75E012698BEF22CB14C894BEEB7B5BF45388F1441EAE64AA7250D7359E81CF40
            Function 02FF9EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
            Download Yara Rule
            Strings
            • Status != STATUS_NOT_FOUND, xrefs: 0304789A
            • @, xrefs: 02FF9EE7
            • minkernel\ntdll\sxsisol.cpp, xrefs: 03047713, 030478A4
            • sxsisol_SearchActCtxForDllName, xrefs: 030476DD
            • Internal error check failed, xrefs: 03047718, 030478A9
            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 030476EE
            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03047709
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
            • API String ID: 0-761764676
            • Opcode ID: 0091c2a6b5365e41ec1b6ed58f664ea4f54877f100e9b6513e89ff1edfde43c2
            • Instruction ID: 3ff2b4321ff23da04c5fa285d740de50c4ffc6accb3916dac5092c2340c79d34
            • Opcode Fuzzy Hash: 0091c2a6b5365e41ec1b6ed58f664ea4f54877f100e9b6513e89ff1edfde43c2
            • Instruction Fuzzy Hash: 17129E75A00219DBDB64CF58C880BEEB7F4FF08B54F1580A9EA59EB250E774D941CB60
            Function 02FEEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: 3a9ef98503ebf9c2637142001fea429ef5cdf2431bddaaa235bd16ef4f0224e2
            • Instruction ID: ebfec693dc2c52c08c2ed2e074cf546265a1b02a38baff49a6bc46302e6f7178
            • Opcode Fuzzy Hash: 3a9ef98503ebf9c2637142001fea429ef5cdf2431bddaaa235bd16ef4f0224e2
            • Instruction Fuzzy Hash: 36A267B1E066298FDF65DF19CC887ADB7B5AF85344F1442E9D90AA7290DB349E80CF00
            Function 02FDF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: 352373d14b0a8e8d0a2b71c4abe986d198d4259b7a2af3905186cf6f09d4efa5
            • Instruction ID: d5fde59233a2a8f63edd137103b852c0e3051c17bc0861b2df5d5af88e3d5da3
            • Opcode Fuzzy Hash: 352373d14b0a8e8d0a2b71c4abe986d198d4259b7a2af3905186cf6f09d4efa5
            • Instruction Fuzzy Hash: 0B4212326093819FC715DF28C894B6AB7EAFF85384F084A6DEA86CB751D734D841CB52
            Function 02FFB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: b8e816bc77b28e55ebe9d639e4e45db9ce1b01cebd456de85f9446956de5ecc1
            • Instruction ID: dc378892f9aa252c64aed10aed7c77f827f868f8bedf31a73ebcb259104838ba
            • Opcode Fuzzy Hash: b8e816bc77b28e55ebe9d639e4e45db9ce1b01cebd456de85f9446956de5ecc1
            • Instruction Fuzzy Hash: 81C16F71F012159BDB65DF64CC80BBEB7A5AF89388F188069DB06AB6E0E774CD44C391
            Function 030163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: be20a28bd37c0de7a0b174931779cb084d7aff3352e883162f0bde75e99769ae
            • Instruction ID: aac6659efde482c29002cd3ca5145bd0d99c73cf153c87f5a2d58b8ce997757b
            • Opcode Fuzzy Hash: be20a28bd37c0de7a0b174931779cb084d7aff3352e883162f0bde75e99769ae
            • Instruction Fuzzy Hash: 2A915531A033289BEB28EF55DC44BEF77E4EF41B24F580168ED016B684D7B99891CB91
            Function 03012674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03052178
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 030521BF
            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03052180
            • SXS: %s() passed the empty activation context, xrefs: 03052165
            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0305219F
            • RtlGetAssemblyStorageRoot, xrefs: 03052160, 0305219A, 030521BA
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
            • API String ID: 0-861424205
            • Opcode ID: f95571d09c4dd38512412fe2b1d6bd7ef2b3c92337857afde7490dc8a8aa6b04
            • Instruction ID: 82640ac2c9b7062e7d7f917f54751555260868827689b78db48369ef386c10e2
            • Opcode Fuzzy Hash: f95571d09c4dd38512412fe2b1d6bd7ef2b3c92337857afde7490dc8a8aa6b04
            • Instruction Fuzzy Hash: 6731E836E42216A7F721DA9A9C41FAFB77CDFA4A90F190859BB057B140D270DA00CBA1
            Function 0301C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • LdrpInitializeProcess, xrefs: 0301C6C4
            • LdrpInitializeImportRedirection, xrefs: 03058177, 030581EB
            • Loading import redirection DLL: '%wZ', xrefs: 03058170
            • Unable to build import redirection Table, Status = 0x%x, xrefs: 030581E5
            • minkernel\ntdll\ldrredirect.c, xrefs: 03058181, 030581F5
            • minkernel\ntdll\ldrinit.c, xrefs: 0301C6C3
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-475462383
            • Opcode ID: 8caa777ef9ac521c35697fe91649e92137bc663a3f3c574816b797938603cec6
            • Instruction ID: 608427b0e7764785165bce1845c39f5e84029af0d9f8a9246b57ee2a3d3b3028
            • Opcode Fuzzy Hash: 8caa777ef9ac521c35697fe91649e92137bc663a3f3c574816b797938603cec6
            • Instruction Fuzzy Hash: 5B3104757863029FE214EF28DD45E6BB7E5AFC4B50F044958FD85AB290E620EC04CBA2
            Function 03069C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
            • API String ID: 0-3127649145
            • Opcode ID: f03827d8a90ed91a3ea193bc3727e940516ab71926c638a18afea72c54da9b77
            • Instruction ID: 21d65dfd0cdf1c1f4e02e064f49abc75a20ff160f1f142827587b05e9afd686c
            • Opcode Fuzzy Hash: f03827d8a90ed91a3ea193bc3727e940516ab71926c638a18afea72c54da9b77
            • Instruction Fuzzy Hash: B9327EB4A027199BDB61DF65CC88B9AF7F8FF84300F1045EAE509A7650DB71AA84CF50
            Function 02FF9950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: d6a0e5b8d39e0b6060a6d881f4d2c8cae8c3e22e7891efc1d352f0099eaefcb6
            • Instruction ID: 29b3d0c008bbb9e28809a46cb06f2e190153431e879ae1bdd4052916d84b347f
            • Opcode Fuzzy Hash: d6a0e5b8d39e0b6060a6d881f4d2c8cae8c3e22e7891efc1d352f0099eaefcb6
            • Instruction Fuzzy Hash: 3B029F71909341CFC7A1CF64C180B6BB7E5BF84B84F45492EEB999B260E7B0D944CB92
            Function 030051EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
            Download Yara Rule
            Strings
            • Kernel-MUI-Language-SKU, xrefs: 0300542B
            • Kernel-MUI-Language-Allowed, xrefs: 0300527B
            • WindowsExcludedProcs, xrefs: 0300522A
            • Kernel-MUI-Language-Disallowed, xrefs: 03005352
            • Kernel-MUI-Number-Allowed, xrefs: 03005247
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 5f3f50408ba1cee28b7df0cf11cab2c21d86d1e770cdfbc33cb18094cbe67ae1
            • Instruction ID: 9fdece20ba46e1f5c06dc01704473be4993c6314d89af5a332b20f8f446e8608
            • Opcode Fuzzy Hash: 5f3f50408ba1cee28b7df0cf11cab2c21d86d1e770cdfbc33cb18094cbe67ae1
            • Instruction Fuzzy Hash: 88F16C76D06229EBDB11DFA9CD80AEEBBF9FF49650F15406AE501EB250D7709E008F90
            Function 03064F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: a8fd9e1708ccfda93cc7c36edb3a02e080f4c50908cc904882ce8f6120953206
            • Instruction ID: e12bc3ccdd43938e58b2a5938b90f49ba06c08482ad858332491d0640c35a4b5
            • Opcode Fuzzy Hash: a8fd9e1708ccfda93cc7c36edb3a02e080f4c50908cc904882ce8f6120953206
            • Instruction Fuzzy Hash: 8E91CF76902619DBCB21CF59C880ABEB7F4EF89310F594169E805EB354E735DA41CB90
            Function 0300D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1975516107
            • Opcode ID: 4b97fd138f4758b1bd010c6403b697f3049442afd7d8c26f882f2da24360e8bf
            • Instruction ID: 58b3cc946c093c070341df2c2e1e89997af97965538077fb2c9be01845b526f6
            • Opcode Fuzzy Hash: 4b97fd138f4758b1bd010c6403b697f3049442afd7d8c26f882f2da24360e8bf
            • Instruction Fuzzy Hash: 67512171E023459FEB64EFA4C88479EBBF1BF49314F284169D9016B2D5D774A940CBA0
            Function 02FD76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
            • API String ID: 0-3061284088
            • Opcode ID: 037041ca6d03db4239959216de0df798e2d0d519bfef3a63f8c5d971f854330d
            • Instruction ID: fef8a9a6b3f2caa3415e7b920f78ffd556e9b99029d288a8c1d18e611e139a60
            • Opcode Fuzzy Hash: 037041ca6d03db4239959216de0df798e2d0d519bfef3a63f8c5d971f854330d
            • Instruction Fuzzy Hash: 1301D83210A2C0DEF226E719D82AFD6B7D9DF42BF4F2D4059E2054BA51CAA89880C961
            Function 02FF70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 77a620763406e9b826d4117599ceb4c56527ee4878cacf01cf7d0524142ce23e
            • Instruction ID: 9c6556c94612ef8f7c498a48e7949ad8f3de40dc416c353385fd65c16002e660
            • Opcode Fuzzy Hash: 77a620763406e9b826d4117599ceb4c56527ee4878cacf01cf7d0524142ce23e
            • Instruction Fuzzy Hash: 7413AF71E00655CFDB64CF68C880BA9FBF1BF49384F1481A9DA49AB3A1D734A945CF90
            Function 02FF1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
            • API String ID: 0-3570731704
            • Opcode ID: ad1bd051b3006daf5ec1f2954599837d0305e92ffd556b27a92cef7f266a905d
            • Instruction ID: bfc49f4be1ab9f2189187ac336d2c62070347ddd4efbd01c0d521f8981ae1064
            • Opcode Fuzzy Hash: ad1bd051b3006daf5ec1f2954599837d0305e92ffd556b27a92cef7f266a905d
            • Instruction Fuzzy Hash: DA922871E01269CFEB64CF18CC40BAAB7B6AF45354F1581EADA4DAB290D7309E84CF51
            Function 02FFA840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03047D56
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03047D39
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03047D03
            • SsHd, xrefs: 02FFA885
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: 9581d67202a34ed364523e2d4e308efb84358732a17a8e5def750af8f9385f17
            • Instruction ID: 8e279b9fdc86d395d5b5ea104652134949191a1b7bc5c6bdcf46c7630912e41d
            • Opcode Fuzzy Hash: 9581d67202a34ed364523e2d4e308efb84358732a17a8e5def750af8f9385f17
            • Instruction Fuzzy Hash: 63D1C075E00219CBCB64CFA8C8D0AADB7F5FF48754F194069EA09AB365D371A941CBA0
            Function 02FF3D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: c92c3893fec2950791ec2602238554d48d159e993a1e31a5949309e93c23e32f
            • Instruction ID: 0fd45e1a1e2ef0668ab5d1e022bcbfd231e9434b2f6269d64379ebcc01b5211a
            • Opcode Fuzzy Hash: c92c3893fec2950791ec2602238554d48d159e993a1e31a5949309e93c23e32f
            • Instruction Fuzzy Hash: 9CE2B074E002558FDB64CF68C890BAABBF1FF49344F188199DB49AB3A5D734A845CF90
            Function 02FEA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: 8f3307c1d122a59e0b7508bd03184cdd310d7db7e2280ac3596ccd1d9fde7a5a
            • Instruction ID: b8c1f0f2988e7100d455fcab5953e43e347cf1238122b2ded1f21712cd9f926f
            • Opcode Fuzzy Hash: 8f3307c1d122a59e0b7508bd03184cdd310d7db7e2280ac3596ccd1d9fde7a5a
            • Instruction Fuzzy Hash: 36C1AFB5609382CFCB12CF14C540B6AB7E4FF84784F04886AFA968B360E734CA45CB52
            Function 02FF0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 030454D1, 03045592
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 030455AE
            • HEAP: , xrefs: 030454E0, 030455A1
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 030454ED
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 8e8d376c259ae03b5a8d746415596cce7167a1b66405d4daed230fab126481eb
            • Instruction ID: 5a415607a907cd9a6bf8f0244c5f9f552bf5bd00c12bff9f502df8e69c77f6ac
            • Opcode Fuzzy Hash: 8e8d376c259ae03b5a8d746415596cce7167a1b66405d4daed230fab126481eb
            • Instruction Fuzzy Hash: C8A13531A012459FD764CF28C850BBAB7E2BF41344F18816DE7868B75ADB35E844CB91
            Function 0301273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • .Local, xrefs: 030128D8
            • SXS: %s() passed the empty activation context, xrefs: 030521DE
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 030522B6
            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 030521D9, 030522B1
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
            • API String ID: 0-1239276146
            • Opcode ID: 05ad3289a5b09a8dd36a26f3ec1757271d59e93fc314ff62590995d6d48384f3
            • Instruction ID: 774c3509bdd6868bad564bb2c28ea3f957e3a61898cff219e43af67ec67837d1
            • Opcode Fuzzy Hash: 05ad3289a5b09a8dd36a26f3ec1757271d59e93fc314ff62590995d6d48384f3
            • Instruction Fuzzy Hash: F8A1A435902229DFDB64CF58DC84BAAB3B9BF58314F1949E9D909A7250D7309ED0CF90
            Function 004028F0 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff$gfff$sHM$sHM
            • API String ID: 0-3625229618
            • Opcode ID: e63027c9563fe6a084b9a2deb94f1d76e7985b452060e07f233023b34f26cfb0
            • Instruction ID: 879a77f12822bcb8771c03f45859fbc9c4128c90e9beff75cff69bb229d414a8
            • Opcode Fuzzy Hash: e63027c9563fe6a084b9a2deb94f1d76e7985b452060e07f233023b34f26cfb0
            • Instruction Fuzzy Hash: 15510571B0010547DF2C8D5DDE9966AB256EBD4304F18827FED0AEF3D1EAB8ED108A84
            Function 02FDF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
            • API String ID: 0-2586055223
            • Opcode ID: e0955699cb2917056fff454bf485643f9412114295c38a1235f9ac403b7484f5
            • Instruction ID: baad349ad41efcad5d1ca798bb51521c8473329becbe55423861b4b5812f7ed6
            • Opcode Fuzzy Hash: e0955699cb2917056fff454bf485643f9412114295c38a1235f9ac403b7484f5
            • Instruction Fuzzy Hash: 0B610437206784AFE711DB24CC44F67B7EAEF85794F080669FA568BA91C734D800CB62
            Function 030911A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
            • API String ID: 0-336120773
            • Opcode ID: 5b464cceb0940036c4d996eed026e0dd9dbd8ebf67f4a1b6b9e13f6629c16675
            • Instruction ID: 06f920bce4383dc7df7a06ed9bdb878f43f2cf059e277908f1bdb7c9363fa05c
            • Opcode Fuzzy Hash: 5b464cceb0940036c4d996eed026e0dd9dbd8ebf67f4a1b6b9e13f6629c16675
            • Instruction Fuzzy Hash: 92311431702101EFFB15EB98C885FAAB3EAEF047A4F190456F502CF290D630ED50EAA5
            Function 02FD9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
            • API String ID: 0-1391187441
            • Opcode ID: 7fbda1d35cc783d6ebb5ae5ea94bae92dae5da630d39d866b94fdfbb78a6090b
            • Instruction ID: e6440a213e89c64d94daf283207283adfb62e95b456d05c738d33096e58123f0
            • Opcode Fuzzy Hash: 7fbda1d35cc783d6ebb5ae5ea94bae92dae5da630d39d866b94fdfbb78a6090b
            • Instruction Fuzzy Hash: E031E632A01504EFEB01DB85CC84FEEBBFAEF457A4F194055EA15AB290D7B0ED40CA60
            Function 02FF29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 02FF3255
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 02FF327D
            • HEAP: , xrefs: 02FF3264
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: d53c81cabb0fe0a144a22a104a9db7e22802950fa9f9879137450660fa37c761
            • Instruction ID: 794f43b93afac8e261bde9b5d59a0d78c9df69f61bfd2bcce9659eef151ee562
            • Opcode Fuzzy Hash: d53c81cabb0fe0a144a22a104a9db7e22802950fa9f9879137450660fa37c761
            • Instruction Fuzzy Hash: 9F92CE71E042899FDB65CF68C440BAEBBF1FF48344F18809AEA55AB3A1D735A941CF50
            Function 030702C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: """"$MitigationAuditOptions$MitigationOptions
            • API String ID: 0-1670051934
            • Opcode ID: 9405917244dccec1823aa5cb4613086c18f9a13f1af8dba4701a3a6a83d3775b
            • Instruction ID: 56b8c7fe4f4f273f5f62f575bff5913da14e9cbf07612f0e4efcf902ea8ee20b
            • Opcode Fuzzy Hash: 9405917244dccec1823aa5cb4613086c18f9a13f1af8dba4701a3a6a83d3775b
            • Instruction Fuzzy Hash: 8722A2B2E167028FD764CF29C85162BFBE5BBC4310F188A2EE1DA87650D771E544CB49
            Function 02FF1F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: babf97b6ad4b1c5c6ef19ecc4af9307bc0ab983c82f85ba91b13d308586fd0ba
            • Instruction ID: 8e8b3391dd4af533fccbed831654bd215c9d25fdb242106f80f48f1f59788fd0
            • Opcode Fuzzy Hash: babf97b6ad4b1c5c6ef19ecc4af9307bc0ab983c82f85ba91b13d308586fd0ba
            • Instruction Fuzzy Hash: 0A2234B06012459FEB15CF28C850B7BFBF6FF06744F1884A9EA468B692E735D981CB50
            Function 02FF0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: 48cdb807196a4485274ceb59a5e34dc0e77c25292c899f9aff81e393896949dc
            • Instruction ID: 2f373eaf597bb464f7f92622e9c49977c71a56f3dd50582201ba61420ff01149
            • Opcode Fuzzy Hash: 48cdb807196a4485274ceb59a5e34dc0e77c25292c899f9aff81e393896949dc
            • Instruction Fuzzy Hash: FBF1FE75B01605DFDB64CF68C890B6AB7F5FF46344F1441A9EA069B3A6DB30EA40CB90
            Function 02FE1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 02FE1712
            • HEAP: , xrefs: 02FE1596
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02FE1728
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: a3d6a0c7402f221e7c25e067c2e1ea7a736df8b4bdcc3d8a60a8b48e0f8762d8
            • Instruction ID: 411e663fcfae86fea7003c687b507320888b702632f236ec20fc1ec1df9c425f
            • Opcode Fuzzy Hash: a3d6a0c7402f221e7c25e067c2e1ea7a736df8b4bdcc3d8a60a8b48e0f8762d8
            • Instruction Fuzzy Hash: 5AE11271A042459FDB2ACF2AC451BBBBBF5AF49344F18845DE69B8B345D734E840CB50
            Function 02FEB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
            • API String ID: 0-1145731471
            • Opcode ID: cd32269519e0d38bac7e4ae895674fbe9fb7951119c612dcb9ea409a8084b574
            • Instruction ID: 06c3c6b8b7ed133470722dd0b8dd80a2508c370b85cbbfe0ef6282f60fd81854
            • Opcode Fuzzy Hash: cd32269519e0d38bac7e4ae895674fbe9fb7951119c612dcb9ea409a8084b574
            • Instruction Fuzzy Hash: 7EB19C7AE067098BDB26DF59C980BADF7B6BF44348F18446EE552EB690D330E950CB40
            Function 0306368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
            • API String ID: 0-2391371766
            • Opcode ID: 7c5fe7e24e5a6b61003e645a434d90bb2aee0a48056c8958969aa10ef7954d1b
            • Instruction ID: a3b41f2c22a73ed88c37ee5975ee470da51783107812166d333c3bd862534f55
            • Opcode Fuzzy Hash: 7c5fe7e24e5a6b61003e645a434d90bb2aee0a48056c8958969aa10ef7954d1b
            • Instruction Fuzzy Hash: DEB1CD7A606345AFE321DF54CC80FABB7E8EB84710F044969FA419B2A4D775E804CBD2
            Function 03006962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: 5e15d7b0dc221a43ee6e52d2def0ca1d17c6f7b904b5be5298975338f1f57319
            • Instruction ID: 039678f99f10d86b32fa560a8a9b78a406991229ca4e856de6d923504e8e4ca4
            • Opcode Fuzzy Hash: 5e15d7b0dc221a43ee6e52d2def0ca1d17c6f7b904b5be5298975338f1f57319
            • Instruction Fuzzy Hash: C3C291B160A3419FE765CF24C840BABBBE5AFC8744F08896DE989C7290D735E944CB52
            Function 02FDA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: eb25dc5ace594b8670094f14ef32f81e9754d2fa557e3ff616d37cfa87dd28da
            • Instruction ID: 3a3704687a2dccc3273d071d92c9f95734e27015457ccd2d5fc154c73e3393bd
            • Opcode Fuzzy Hash: eb25dc5ace594b8670094f14ef32f81e9754d2fa557e3ff616d37cfa87dd28da
            • Instruction Fuzzy Hash: F3A1AE759022299BEB71DF64CC88BEAB7B8EF45700F1401EAEA09E7250D7359E84CF54
            Function 0301909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %$&$@
            • API String ID: 0-1537733988
            • Opcode ID: 625c2ea8ded602c5e56dd192dec5ec654aaca3b6210a55fd7ed2f21ac3ee877f
            • Instruction ID: fd779bcf36d1515621f48b7ae57bfe2b9e129df3dd00336c2405ab057467bfeb
            • Opcode Fuzzy Hash: 625c2ea8ded602c5e56dd192dec5ec654aaca3b6210a55fd7ed2f21ac3ee877f
            • Instruction Fuzzy Hash: 3871DE7060A3019FD790DF24C9A0A6BFBE9BFC5718F14895DF89A8B240C731D959CB92
            Function 030BB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
            Download Yara Rule
            Strings
            • TargetNtPath, xrefs: 030BB82F
            • GlobalizationUserSettings, xrefs: 030BB834
            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 030BB82A
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
            • API String ID: 0-505981995
            • Opcode ID: 3c9474740cc80d7f28eb97f73d03a9b3355ac9058b1e94e69b28d503969a0d83
            • Instruction ID: 9632e54bcefdfc767c3249fdd511eafca9a9ff8e1989e4a8cdd2af2fbbbba60d
            • Opcode Fuzzy Hash: 3c9474740cc80d7f28eb97f73d03a9b3355ac9058b1e94e69b28d503969a0d83
            • Instruction Fuzzy Hash: F7617D72D42229ABDB61DF54DC88BDAF7B9AF44750F0101E9E609AB250DB74DE80CF90
            Function 02FDF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 0303E6A6
            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0303E6C6
            • HEAP: , xrefs: 0303E6B3
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
            • API String ID: 0-1340214556
            • Opcode ID: b478159174b4a3ac4677a44d2065900f8bcdcc80f66a550823c0626155e93fc8
            • Instruction ID: 5f5a3bad46751dda53f901af091a852dff18f010bd2e9a10ef715b8a3321079d
            • Opcode Fuzzy Hash: b478159174b4a3ac4677a44d2065900f8bcdcc80f66a550823c0626155e93fc8
            • Instruction Fuzzy Hash: 26511932741685EFE712DB68C854F9ABBF9FF05384F1802A5E642CB692D374E900CB11
            Function 0308DAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 0308DC12
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0308DC32
            • HEAP: , xrefs: 0308DC1F
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: 8d3e88487780308e9e63dd85e1f21d410263c9771aed490036067ff4aae45c89
            • Instruction ID: 1999ce616f8e61cbc369207bc1a9c303f7d6ebd470fd4565ad273662faff191e
            • Opcode Fuzzy Hash: 8d3e88487780308e9e63dd85e1f21d410263c9771aed490036067ff4aae45c89
            • Instruction Fuzzy Hash: 53512535102150CAE7A4FF2EC844776B3E6EF45394F184E9AE4C2CB6C5D276D842DB61
            Function 0301C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            Strings
            • Failed to reallocate the system dirs string !, xrefs: 030582D7
            • LdrpInitializePerUserWindowsDirectory, xrefs: 030582DE
            • minkernel\ntdll\ldrinit.c, xrefs: 030582E8
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1783798831
            • Opcode ID: a1a22f65a61db3981305c45433593912fb5a2954c84cfc2a770acb4083a3d765
            • Instruction ID: 4c879978643e39962de184911d2c883acd53adac7e59018da12ce0c4787e4937
            • Opcode Fuzzy Hash: a1a22f65a61db3981305c45433593912fb5a2954c84cfc2a770acb4083a3d765
            • Instruction Fuzzy Hash: EB41D2B6647304ABE760FB64DC44B9B77E8EF84750F04492ABE45D7290E7B4D8108B91
            Function 0309C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 0309C1F1
            • PreferredUILanguages, xrefs: 0309C212
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0309C1C5
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: f72ec5048bbae2c16a9469d00237ec809898619b1e86731baac838347f8a23ca
            • Instruction ID: a790e3c4cf622e7909fa3d31d222464fba545994a751ce32725b9e9c175ccc9a
            • Opcode Fuzzy Hash: f72ec5048bbae2c16a9469d00237ec809898619b1e86731baac838347f8a23ca
            • Instruction Fuzzy Hash: D4419F72E01219ABFF51DBD4C890BEEF7FDAB45740F04406BE601AB290D7749E449B90
            Function 03074144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: b927a3a7f7d7696d938db3f46fe4993c711874fa1df9e8fe832bc5d4f7c4ab57
            • Instruction ID: fc5331fe2ca58533bc0bfc4298842da69c9f26951b7f37d756ddb903896ca13e
            • Opcode Fuzzy Hash: b927a3a7f7d7696d938db3f46fe4993c711874fa1df9e8fe832bc5d4f7c4ab57
            • Instruction Fuzzy Hash: 1041F372E067988FEB21EB9AC840BADB7F9EF45380F180499D911EF791D7749901CB14
            Function 03064755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            • LdrpCheckRedirection, xrefs: 0306488F
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03064888
            • minkernel\ntdll\ldrredirect.c, xrefs: 03064899
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-3154609507
            • Opcode ID: e5337c8cc27e1a103f472fff0fdf643136f78a13039f708c7cc4e7389509fd98
            • Instruction ID: 0d5feccaeafac401e7681980333f44199625478c66493b2f66f8b8031b277dc3
            • Opcode Fuzzy Hash: e5337c8cc27e1a103f472fff0fdf643136f78a13039f708c7cc4e7389509fd98
            • Instruction Fuzzy Hash: 8E410632A033518FCB61DF5AD940A6BB7E8FF8AA50F090599EC45DB319D330D810CB81
            Function 030133A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • RtlCreateActivationContext, xrefs: 030529F9
            • Actx , xrefs: 030133AC
            • SXS: %s() passed the empty activation context data, xrefs: 030529FE
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
            • API String ID: 0-859632880
            • Opcode ID: 550027b2de6a257675b292124e7559f0d192bb7b264f752bc87faa7beb79bcc3
            • Instruction ID: 76b37b7ac2fa1aff3169c81c564420f62aa954977cfbd6a8731f711375118352
            • Opcode Fuzzy Hash: 550027b2de6a257675b292124e7559f0d192bb7b264f752bc87faa7beb79bcc3
            • Instruction Fuzzy Hash: FB314436202301DFEB26DE58D880B9BB7E8AF48714F0948A9FD059F241CB30E851CB90
            Function 03011607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
            Download Yara Rule
            Strings
            • LdrpInitializeTls, xrefs: 03051A47
            • DLL "%wZ" has TLS information at %p, xrefs: 03051A40
            • minkernel\ntdll\ldrtls.c, xrefs: 03051A51
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
            • API String ID: 0-931879808
            • Opcode ID: c712fa0547b149dd488feb1eee4494cffebebdec14b2b3bcce06db51202acc76
            • Instruction ID: 6aed4bb703ed890d292e3d5d330cb3a77146030bd1cffedbc4c5d9b55cef5cb3
            • Opcode Fuzzy Hash: c712fa0547b149dd488feb1eee4494cffebebdec14b2b3bcce06db51202acc76
            • Instruction Fuzzy Hash: 8231E431A13300AFEB2CDB54CC85FAA77EDEB45795F150159EE05AB180D774AD24CBA0
            Function 03021270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
            Download Yara Rule
            Strings
            • BuildLabEx, xrefs: 0302130F
            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0302127B
            • @, xrefs: 030212A5
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 0-3051831665
            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction ID: b94f9208f4599085379fefb8e2461bed1ec595207339a98474335379ef0ea1f8
            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction Fuzzy Hash: E031AF76902228BBCB16EF95CC40EEEBFBEEB85750F004425F914AB160D7319A058B94
            Function 030620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • LdrpInitializationFailure, xrefs: 030620FA
            • minkernel\ntdll\ldrinit.c, xrefs: 03062104
            • Process initialization failed with status 0x%08lx, xrefs: 030620F3
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: 4eec1999c093f826daa59b649856233e201366ace473b29749fab1cb5780e2e3
            • Instruction ID: 427fec73626345664a4eee629f8283598c56986c9a1f44eb02d13c9b445fcfad
            • Opcode Fuzzy Hash: 4eec1999c093f826daa59b649856233e201366ace473b29749fab1cb5780e2e3
            • Instruction Fuzzy Hash: 95F02274642308ABF724E60CCD06FDA37ACEB80B84F140069FF007B285D2B0E920CA81
            Function 02FF03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: 1c2c196780279ead21a57920976e10f804907209dd99bab50dd65288dbbafc8b
            • Instruction ID: 2855339855ffdb0d671a25db708d0ec6df48053ea76ef36f86dbcc3921f22cf7
            • Opcode Fuzzy Hash: 1c2c196780279ead21a57920976e10f804907209dd99bab50dd65288dbbafc8b
            • Instruction Fuzzy Hash: 1D716EB6A012499FDB41DF99C980FAEB7F8EF48344F154065EA01EB255EB34EE01CB60
            Function 0308705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: kLsE
            • API String ID: 3446177414-3058123920
            • Opcode ID: 1314f582104631548118951f84e2ca924e1519131f6457305cbcdebd5a1c0d3b
            • Instruction ID: a1adcdcc06ddd81eed863ffa69d7961c910da8f83e091e1bdbb00d7310461b57
            • Opcode Fuzzy Hash: 1314f582104631548118951f84e2ca924e1519131f6457305cbcdebd5a1c0d3b
            • Instruction Fuzzy Hash: 6E418E3150334987EB21FBBCE884BA9BBD4AB40B64F680119EDD18F1CDCB794495CB91
            Function 02FF52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: 2740c90bc8707de2aa7891a7eaad0c4320c6a6aba808bf617139b43c756566ee
            • Instruction ID: ddb22dea054b818e9f335b77524812ab359055ba562ea5150b93884037a13c1f
            • Opcode Fuzzy Hash: 2740c90bc8707de2aa7891a7eaad0c4320c6a6aba808bf617139b43c756566ee
            • Instruction Fuzzy Hash: 6732D1B1A083158BC7A4CF18C490B3EB7E1EF85784F58492EFB959B2A0E735D944CB52
            Function 030AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: d250a2becfb80c5ab5ddc67fb6b2fc020f4355dded3b816dede21519c2cc79a8
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: 7DC1CC31305B429BDB24CFA8D840B6BFBE5AFC4318F084A2DF9958A2D0D775D505CB91
            Function 02FE0CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • ResIdCount less than 2., xrefs: 0303EEC9
            • Failed to retrieve service checksum., xrefs: 0303EE56
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: 250da7c04cac6cc19c9aa4103c05b6f63a7cd9ced8c8ec8f828f1b4dd7cdf4ab
            • Instruction ID: cb0d30a4ec6bb24a5d57a528cb99efda3bc840c474f77127d4a1e80aa276f745
            • Opcode Fuzzy Hash: 250da7c04cac6cc19c9aa4103c05b6f63a7cd9ced8c8ec8f828f1b4dd7cdf4ab
            • Instruction Fuzzy Hash: 4BE1F2B19093849FE325CF15C440BAFBBE4FF88754F408A2EE6999B280DB719509CF56
            Function 00402340 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$gfff
            • API String ID: 0-2662692612
            • Opcode ID: 33688874944acb586d3fc57a9e9f4f8d141cc9dac61fdc3241720bfc4ec71f8a
            • Instruction ID: f070af8c3569dd332524cf827666c65d84e58f580518dd7ddae8feaceec0d59a
            • Opcode Fuzzy Hash: 33688874944acb586d3fc57a9e9f4f8d141cc9dac61fdc3241720bfc4ec71f8a
            • Instruction Fuzzy Hash: 39416132B0001907CB2C882E9F582BAB286E7D5315B599177DC8AEF3D4F4BC9D4652C9
            Function 02FEA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Exit, xrefs: 02FEA309
            • RtlpResUltimateFallbackInfo Enter, xrefs: 02FEA2FB
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 98f85bba7caf77f9e60dd606d2f5302cd17cbdda57567f11a62fef900f0edcbd
            • Instruction ID: 1982eb14b43a8b553471d647184fdb0aa6fb897aab18af0748ac5403e345229f
            • Opcode Fuzzy Hash: 98f85bba7caf77f9e60dd606d2f5302cd17cbdda57567f11a62fef900f0edcbd
            • Instruction Fuzzy Hash: 1E41BF71B01649DFDB12CF59C840BAEB7B8EF84384F1844A5EA16DB251E376DA40CB90
            Function 0301329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local\$@
            • API String ID: 0-380025441
            • Opcode ID: 97913cee1e3b743ca0794cbebb0cf2e348a1ceefd620d1b2f28a4bc153c7132e
            • Instruction ID: 141bb8d2330cf51c5d21cf6d5c6260bf8ad11e8fe33e20d88113fd85e6036396
            • Opcode Fuzzy Hash: 97913cee1e3b743ca0794cbebb0cf2e348a1ceefd620d1b2f28a4bc153c7132e
            • Instruction Fuzzy Hash: 9B31D5B650A3049FC751DF28C880A6FBBE8FF84754F4809AEF99583210DA30DD14CB9A
            Function 02FEC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: 5b2f1bde683b11f89c9a646ad0dafffe3586db0d2e3b19726dd23cc62182f9b5
            • Instruction ID: b57ceff62a87429c824af05f423b7c3e197b31e0bdb45754df65372b2e17483c
            • Opcode Fuzzy Hash: 5b2f1bde683b11f89c9a646ad0dafffe3586db0d2e3b19726dd23cc62182f9b5
            • Instruction Fuzzy Hash: 1F828D75E002588FDF26CFA9C980BEDB7B5BF48784F14816AEA1AAB650D7309D41CF50
            Function 03032F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: P`vRbv
            • API String ID: 0-2392986850
            • Opcode ID: 920688209d306da9a8a7f6c2106ed7c0cf1e51c321210505f0fc6faa4f1ccae0
            • Instruction ID: 535c8b72df2d6b5f24b55693838a9ff71707f0427b20aae3a5ee1e463c056264
            • Opcode Fuzzy Hash: 920688209d306da9a8a7f6c2106ed7c0cf1e51c321210505f0fc6faa4f1ccae0
            • Instruction Fuzzy Hash: B942D279D06259AEDF69CB68D8946FDFBFCAF06310F1C84DAE441AB290D7348981CB50
            Function 02FE7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: de0ca1cfb0eaa98b9de00fd710cd973ff8a733c0ede7296b3a76bb51053d122c
            • Instruction ID: 3510b9d8835f1c5d3fdb17b7a1ea07a0639100fe95671ea17a1995410e64e18b
            • Opcode Fuzzy Hash: de0ca1cfb0eaa98b9de00fd710cd973ff8a733c0ede7296b3a76bb51053d122c
            • Instruction Fuzzy Hash: 15A14CB1A09341CFC715EF28D580A2AFBE6BF88344F14496DE6869B350E770E945CF92
            Function 03002E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 6aff99781189a14a9f54389abf9e788320fdf4178737efb2ddbde9e0bb9660a1
            • Instruction ID: a9a83426b3ec0f66b09c58467d9ecfb6db2fa7cb3e68cb09088f6b38b70a687d
            • Opcode Fuzzy Hash: 6aff99781189a14a9f54389abf9e788320fdf4178737efb2ddbde9e0bb9660a1
            • Instruction Fuzzy Hash: B8F1C67960A741CFE766CF28C5907AAB7E5AFC8710F0848BDE88987380CB34D945CB52
            Function 004168D3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: 909e4fd7064320abce83f4abc93d9c6d057b2f37113d79d8bb154cac043e28a7
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 15021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 02FE2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PATH
            • API String ID: 0-1036084923
            • Opcode ID: 0990effcc9503b114bd4b121f8ebb6d785107e3923608b8f29ab7aa6d1f41bc8
            • Instruction ID: a44100d60d97c33937ad94bdaafed5a1075365f369fcb773e3516601290375d9
            • Opcode Fuzzy Hash: 0990effcc9503b114bd4b121f8ebb6d785107e3923608b8f29ab7aa6d1f41bc8
            • Instruction Fuzzy Hash: B5F1C071E01218DFCF26DF99D884ABEB7F1FF88740F554069EA42AB250D738A851CB61
            Function 0301F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ce074e63bf00fc07eaaf936d11dd3f5940fec52b5d9821c3526fb2544a42b742
            • Instruction ID: 7108d019295cb75209616533ae88f4e0de7b4441d48af33f55a8a5caa53ffb53
            • Opcode Fuzzy Hash: ce074e63bf00fc07eaaf936d11dd3f5940fec52b5d9821c3526fb2544a42b742
            • Instruction Fuzzy Hash: 3A414CB4D12289AFCB60DFA9C880AAEFBF4FF48340F54426ED459A7211D7359950CF60
            Function 0306EFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: __aullrem
            • String ID:
            • API String ID: 3758378126-0
            • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
            • Instruction ID: 8f41a17a37384b8c0f54f95f595e2f24d8dd7c4164d5dad9224e5d808258a3bf
            • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
            • Instruction Fuzzy Hash: DE41B271F0051A9BDF18DFB8C8805BEF7F6FF88310B188679D615E7294D634A9008780
            Function 02FE0100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 8845d663b41f0e4a85c2977b319f5a0434572dc6901524561e3c5e3f1d1f5487
            • Instruction ID: 8fff7f03257001bfd81c9338bd34e419a4ee58238fb2d35a7719e7f40635579e
            • Opcode Fuzzy Hash: 8845d663b41f0e4a85c2977b319f5a0434572dc6901524561e3c5e3f1d1f5487
            • Instruction Fuzzy Hash: 41A1E832E05268AADF26CA25CD40BFE77EA5F45384F04419DEE87BB281CFF49944CA50
            Function 00402500 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff
            • API String ID: 0-1553575800
            • Opcode ID: beb30fee9ec45c1463c62483f3fbafcc3f598cf8815951a013f0b549adfa8fd8
            • Instruction ID: aacb59dc1311d0170bd1c52be21ec892a741ae41315486ca466c025d7b95cf72
            • Opcode Fuzzy Hash: beb30fee9ec45c1463c62483f3fbafcc3f598cf8815951a013f0b549adfa8fd8
            • Instruction Fuzzy Hash: DEA1E676B001194BDF1CCA1CCE546AA7396EBD4314F18817AED09EF7C1EA79ED118784
            Function 0301A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalTags
            • API String ID: 0-1106856819
            • Opcode ID: 887386ea4773d4e4672f59e8c9d1a3a4c6216c530fda9826404b92d68e89a7a4
            • Instruction ID: 790463ae55bce11bf8cc284ba1155da1ed8ebabbd9a7f68cea65179d2ad4834f
            • Opcode Fuzzy Hash: 887386ea4773d4e4672f59e8c9d1a3a4c6216c530fda9826404b92d68e89a7a4
            • Instruction Fuzzy Hash: 61717E75E0220EDFDF68CF98D5906EEBBF1BF48710F58956AE805AB240D7329841CB50
            Function 02FE973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction ID: f6dd231a92d90a021e47577f2cf04d123306168767c225455b4bc1a868c4233f
            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction Fuzzy Hash: 9B619D71E02219ABDF22DF95C840FEEBBB8FF84754F140569E921B72A0D7709A00CB60
            Function 0306F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction ID: 0c5616ea9d46ba35eb0f34cfb7f19d210c7c89a3d005e61910fd29d22c41f51f
            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction Fuzzy Hash: 0151AB72606346AFE761DF64D840F6BB7E8FF84750F040969BA909B290D7B0ED14CBA1
            Function 02FFE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: EXT-
            • API String ID: 0-1948896318
            • Opcode ID: 4f12c1bbd08209587b0a73445f581904cbeeeeced552e251b67b154cf42ad1db
            • Instruction ID: 686e080b172dccdcb6f6d6698aa27f6c353d22880e09c80386ee55a33d4d4a55
            • Opcode Fuzzy Hash: 4f12c1bbd08209587b0a73445f581904cbeeeeced552e251b67b154cf42ad1db
            • Instruction Fuzzy Hash: 1A41D2726093059BD750DA74C880B6BB7D9AF88788F040929FB94E71B0E734DA04CB96
            Function 0309B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PreferredUILanguages
            • API String ID: 0-1884656846
            • Opcode ID: 489e76451cf441df51008112a18a7b67121899be927627f564afbeea5c04ea13
            • Instruction ID: 45c9af719ccbb474d4c9533ac2285954b5b9d300f86b8ece9b949560ad3fb11f
            • Opcode Fuzzy Hash: 489e76451cf441df51008112a18a7b67121899be927627f564afbeea5c04ea13
            • Instruction Fuzzy Hash: E841D636D01219EBEF11DA94DC40AFEF7B9EF48760F058167E901AB250D6B0DD40DBA4
            Function 0305C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: BinaryHash
            • API String ID: 0-2202222882
            • Opcode ID: 4c2db285fded5b38539eeb246aeb0841fb76041de41262313cada2b6e1f43882
            • Instruction ID: 397332fb64e71e8f3f447148e76b09dc755d20b84d20c19e776ca7ea4a2656cf
            • Opcode Fuzzy Hash: 4c2db285fded5b38539eeb246aeb0841fb76041de41262313cada2b6e1f43882
            • Instruction Fuzzy Hash: 9141F5B5D0172DABEB21DA50CC84FEFB77CAB45714F0045E5BA08AB150DB709E898F94
            Function 030697A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: verifier.dll
            • API String ID: 0-3265496382
            • Opcode ID: a10b552a2111e468bda622b50ed5e8a0fe7c2c8b94abea68d9f30af87bc666a6
            • Instruction ID: 15a2d30a6dd42370633b8e67e89f27d830a1e6c34078ed248fb6f3ce3673e17d
            • Opcode Fuzzy Hash: a10b552a2111e468bda622b50ed5e8a0fe7c2c8b94abea68d9f30af87bc666a6
            • Instruction Fuzzy Hash: 3131A371B02301AFDB64DF68D860B36B7E5EB89710F58947AEA49DF685E7318C808790
            Function 02FE5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx
            • API String ID: 0-89312691
            • Opcode ID: 3ac0debeba57d1af43ba412f73703da7df552611d9aa6c0ca98ca71281d384cd
            • Instruction ID: e5cd4a3e963c83de3789ccf237294a6bf9e919d65a603117d79a76d0b7df498d
            • Opcode Fuzzy Hash: 3ac0debeba57d1af43ba412f73703da7df552611d9aa6c0ca98ca71281d384cd
            • Instruction Fuzzy Hash: CB117F31B096138BEF26491D8850726B295AB91BACFB4812AF753CB290DA75D841C381
            Function 0306106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrCreateEnclave
            • API String ID: 0-3262589265
            • Opcode ID: a4d58b3b04ae6d146159d81e443ca54c7150db28c5ab36c3acfa0e556a678732
            • Instruction ID: 3915779caa2a498744e9ec245a4086720a40331b60839543c5c5e7703a800a62
            • Opcode Fuzzy Hash: a4d58b3b04ae6d146159d81e443ca54c7150db28c5ab36c3acfa0e556a678732
            • Instruction Fuzzy Hash: D52134B190A3449FC310DF2AD944A9BFBE8EBD5B40F004A1EBAA49B254D7B09504CF96
            Function 0301E8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf394559a47b1eface8b9738a7d6dd4ada2e3cf90f14b19073cdc7b842698329
            • Instruction ID: 39529887323988026926ac7c10662c2f9032e76520594b99e20a7db35f76b45e
            • Opcode Fuzzy Hash: cf394559a47b1eface8b9738a7d6dd4ada2e3cf90f14b19073cdc7b842698329
            • Instruction Fuzzy Hash: C5822F72F102188BDB58CFADDC916DDB7F2EF8C314B19802DE41AEB345DA34A8568B45
            Function 0302516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 359d773667c659da748b12c4377af0358faad09c9c09d2553855ce1525146d4a
            • Instruction ID: 63fa44d7f9505395292ac7055a33f76bcae77f0450d94d578fbfbd60b1291333
            • Opcode Fuzzy Hash: 359d773667c659da748b12c4377af0358faad09c9c09d2553855ce1525146d4a
            • Instruction Fuzzy Hash: D862A43280666AAFCF15CF08D8904AEFFB2FE57314B59C59CD89A27604D371B944CB98
            Function 0303739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 521cca3f03016f531a3fcce85a220bb0f5bbbf53ccaf3000df43f3bc60fa8aad
            • Instruction ID: aef80e807e5b8601b872782bbc508ef4d2eb95b5d29c0c6369f67a9975c7ddf2
            • Opcode Fuzzy Hash: 521cca3f03016f531a3fcce85a220bb0f5bbbf53ccaf3000df43f3bc60fa8aad
            • Instruction Fuzzy Hash: 2242D3B5A026168FDB58CF58C4906BEF7FAFF8AB14B18855DD552AB340D730E842CB90
            Function 03035AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 0300B2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 458aead629a8a1c02283d3c6e8c1d63d980dbb482957c71dc618bfba7b94c59e
            • Instruction ID: 353d94dca6bfa3bc24465c1132e08207874b2f6e1be94db092458fb25e6b416e
            • Opcode Fuzzy Hash: 458aead629a8a1c02283d3c6e8c1d63d980dbb482957c71dc618bfba7b94c59e
            • Instruction Fuzzy Hash: EE32B0B5E02219DBDF14DFA8D890BAEBBB5FF84714F180029E805AB391E735D911CB90
            Function 03078158 Relevance: .6, Instructions: 617COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dcb533ee6b2345a8929f8bae4037e77bb2ce9b7a73889a144ac7b2ea9ad7e197
            • Instruction ID: 1b69089dad665ffefd44cc3cbe8d2e645901c4ebe2a6dd2eee231f970f4cb6e2
            • Opcode Fuzzy Hash: dcb533ee6b2345a8929f8bae4037e77bb2ce9b7a73889a144ac7b2ea9ad7e197
            • Instruction Fuzzy Hash: F5424A75E012199FDB64CF69C886BADB7F5BF88300F18C099E949EB241D734A981CF64
            Function 02FF2840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73faf34c7587a7fe245575a965946825262e9e2a9fae00336d35cbcab6bab269
            • Instruction ID: 1a71256c1e3de8a8cd8172684f3869ebd9618ea3cd48e0e0a3ea95d12868335e
            • Opcode Fuzzy Hash: 73faf34c7587a7fe245575a965946825262e9e2a9fae00336d35cbcab6bab269
            • Instruction Fuzzy Hash: 723222B4A027488BDB64CF69C8547BEF7F6BF86304F14412DD8869B684E736AA41CF50
            Function 0308A118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b665a843331fc4d82ed2aed4e8865b5bbee2dc9351d769bebb8d803789209297
            • Instruction ID: 319bc8d5eac83a887c695f6ea8d94fc703aac05798f273c45e69adb94ef6197f
            • Opcode Fuzzy Hash: b665a843331fc4d82ed2aed4e8865b5bbee2dc9351d769bebb8d803789209297
            • Instruction Fuzzy Hash: E022BE747066518BDB64EF29C494376B7F1AF44300F0C889BE8C68FA85E739E492DB64
            Function 030A16CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16830cb2d201ace7b672ac42a33fa532764f5e323a9da58d4e0caf744e9c9595
            • Instruction ID: ad778618bfadc7c0ff42831d83fd71d8478cc78606bb13f512e0923f897d366f
            • Opcode Fuzzy Hash: 16830cb2d201ace7b672ac42a33fa532764f5e323a9da58d4e0caf744e9c9595
            • Instruction Fuzzy Hash: 1D22A035A016168BCB5DCF9CD490AAEB7F6BF88314F1845ADD956DB340DB30A941CB90
            Function 0300FB80 Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d31544d3ab5e62caacc8e1d05509b7f59ed7094a810efed19cbbf0763be354d9
            • Instruction ID: 7db78868a6449cf06f2b8505331ec386c908abb5c18eeb5e6f1d70343c24ff16
            • Opcode Fuzzy Hash: d31544d3ab5e62caacc8e1d05509b7f59ed7094a810efed19cbbf0763be354d9
            • Instruction Fuzzy Hash: 8A22B27590220AAFDB50DFA4C880BAFB7F5FF44300F1885A9ED549B285E774EA45CB90
            Function 030A1D5A Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1b0598d6b6bd81e3dbccfb92571facbc921f4ea4008a46cbee1220250a800530
            • Instruction ID: 83f93d5de73b3fcee68453153a6bd0838a1e7de408fe96156ce247052f93d13a
            • Opcode Fuzzy Hash: 1b0598d6b6bd81e3dbccfb92571facbc921f4ea4008a46cbee1220250a800530
            • Instruction Fuzzy Hash: EC227D35605B129FC758CF58D490A2AF3EAFF89314F188A6DE996CB351D730E842CB91
            Function 03008DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d148e114b67cccd00afd4a5d4cd6d63704ed49e48b22f345fccb09915514eca
            • Instruction ID: 819684554a847836a18ed470227accf0aa7c31f074bfe492f41e29bd92177621
            • Opcode Fuzzy Hash: 4d148e114b67cccd00afd4a5d4cd6d63704ed49e48b22f345fccb09915514eca
            • Instruction Fuzzy Hash: C62272B0E01256DBDF54CF65C5806BEFBF6BF84300F1884AAE8459B252E774DA41CB64
            Function 030A2446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 708bb4a656a64e4784c827399fb8367fcbb540a6b0dbee66296adfe8e42bd7bf
            • Instruction ID: c9ad6163da7aa46ac7b0e6f4c049cd994ffaf32f3876780b5efed4673ad309c8
            • Opcode Fuzzy Hash: 708bb4a656a64e4784c827399fb8367fcbb540a6b0dbee66296adfe8e42bd7bf
            • Instruction Fuzzy Hash: 78020334606A518BDB94CFADD45037AF7F9BF85300B0889AAE8D6CF281D334D952DB60
            Function 030BB16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e6f8b7c617e6a510c2d1a6bb9f4bdd86404724b44f19bceeed3070bc867f2a70
            • Instruction ID: 4d5e4f2d3bc5a8dd8cc05d2f85c6e8f0d8277cf2c080e2b6d9675faf2741aa55
            • Opcode Fuzzy Hash: e6f8b7c617e6a510c2d1a6bb9f4bdd86404724b44f19bceeed3070bc867f2a70
            • Instruction Fuzzy Hash: 42F1F772E006158FCF58DF69C9906BEFBF6AF8821071D416DD896DB380E674EA01CB90
            Function 004101F3 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: 4ffb5ba711218b6ba4f5fdbc237d52be2d25b3550ab1acd5b79c41ba9e970d21
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: 90026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
            Function 030BA9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12f32a01658776701c16424818d9c648a20e7495182a71c294f1f4c61c4d97a3
            • Instruction ID: 170190d7e62a942237f7b600af15aab8141fb24e9ff284f34eedaf8cb4352cad
            • Opcode Fuzzy Hash: 12f32a01658776701c16424818d9c648a20e7495182a71c294f1f4c61c4d97a3
            • Instruction Fuzzy Hash: 4BF1B573F016269BCB18CEA8C5A06FDFBF5AF442507194269D866EB381D734DE41CB90
            Function 0300FDC0 Relevance: .4, Instructions: 390COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: df2216cde36200138fa030e84b68d3d7eed33117265c62475e87a1155530a1ad
            • Instruction ID: a6860f96aec57cc8dceccfc8c960464a43df3f9a140a2b8b7c7d9c045555b4e6
            • Opcode Fuzzy Hash: df2216cde36200138fa030e84b68d3d7eed33117265c62475e87a1155530a1ad
            • Instruction Fuzzy Hash: A4F18E70A0220ADFDB54DFA8C880BAEB7F5FF44304F2885A9ED059B245E734DA45CB90
            Function 02FD8397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc76a43de6539fd03bc227d28d6f11d5abfb9a11669d41250fcafdac99175f32
            • Instruction ID: 11961ccce2ec8e8f8d055ad57d6f385f5dfbd51c252e5283fa792d139aeb158d
            • Opcode Fuzzy Hash: bc76a43de6539fd03bc227d28d6f11d5abfb9a11669d41250fcafdac99175f32
            • Instruction Fuzzy Hash: 23D1B771A0120A9BCF14DF64CC90FBAB7E6FF45398F094529EA15DB281E734E942CB50
            Function 0300C6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f9bff75198acc18d19feae91dba4338131e59f8631ec295e561cad76f78c221
            • Instruction ID: bbb18ee0b1fc8efa3d2688d0d7ea1055da1626a8bacac84a1366aa777a3c7cc7
            • Opcode Fuzzy Hash: 1f9bff75198acc18d19feae91dba4338131e59f8631ec295e561cad76f78c221
            • Instruction Fuzzy Hash: F9D1AE71E062198BFF68CE88C5843BEBBF5FB45304F18866AD846AF2C4D7749A41CB45
            Function 02FF38E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3fa1c81024a3963961774f1b7a9452af3e8a5c1155eacb9b56d706d27756329d
            • Instruction ID: 0e84166f643ca5c90c3d94453a6678818c0cd55ecf94333c3783bec6569bda61
            • Opcode Fuzzy Hash: 3fa1c81024a3963961774f1b7a9452af3e8a5c1155eacb9b56d706d27756329d
            • Instruction Fuzzy Hash: 51E19175A01249CFCB18CF58C490AAEB7F5FF48350F1881A9EA55EB391D734EA41CB90
            Function 02FFCFE0 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2bc60bd22a401262bae12a5413439b8809f11aafe3dc04487cdf761550513f90
            • Instruction ID: 207210d848cced68f95e826463213d9a9ec4ef57cde0fe14c3a5e6ac74442f0d
            • Opcode Fuzzy Hash: 2bc60bd22a401262bae12a5413439b8809f11aafe3dc04487cdf761550513f90
            • Instruction Fuzzy Hash: 0CD1B231F023198FEBA4DF15C880BAAB7A1BF49344F0440E9DB09AB265DB75AD85CF51
            Function 02FED7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 450d3e043095e9524907e493c7836f5e9e8e7996aadb379cec76301ef08e100a
            • Instruction ID: 0e226769c73345018fb329c16df434bc149785511370dcde820d7350642e3512
            • Opcode Fuzzy Hash: 450d3e043095e9524907e493c7836f5e9e8e7996aadb379cec76301ef08e100a
            • Instruction Fuzzy Hash: F0C1F7B1E022069BDF15CF5AC840BAEF7FAFF44754F188269D915AB690D770EA41CB80
            Function 03068243 Relevance: .3, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
            • Instruction ID: 9b9e9d004d0e55283b67d6b8e967a9276efa825e051ebb59da98212256974e76
            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
            • Instruction Fuzzy Hash: F8B16E74A01609AFDF64DF95C940AABFBF9FF84304F14846DE902AB798DA34E905CB10
            Function 02FF0535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 0067e0395f3e1a2df96843a77d23878d7bb7183811684ba9ea5ebee97374df87
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: B9B12776701645AFDB51CB68C850BBEB7F6AF84340F1801A9E742DB396DB70EA41CB50
            Function 030090DB Relevance: .3, Instructions: 287COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd11db77ad63d290be69787ce505977728906af0af11209b235a4d3db341ea4b
            • Instruction ID: 8241a6582989ea165f2b7811b47064c9c03f6fca8a53221a32aa2783f5fc8d4a
            • Opcode Fuzzy Hash: fd11db77ad63d290be69787ce505977728906af0af11209b235a4d3db341ea4b
            • Instruction Fuzzy Hash: 99A15171502215AFEB52EFA4CC85FAE7BB9AF49750F050064FA00AF2A1D775DD50CBA0
            Function 02FE83C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b9ecc5d8fa475d85f38261130c1194ebfcebaa5b72b2211369cfccb212e3ad90
            • Instruction ID: add4d81b2f9da28396a1b0d213aedf956ab698b526bc75527e06bd6556f7fc03
            • Opcode Fuzzy Hash: b9ecc5d8fa475d85f38261130c1194ebfcebaa5b72b2211369cfccb212e3ad90
            • Instruction Fuzzy Hash: F6C169B46083408FD764DF15C484BAAB7E5FF88344F44496DE98A873A0DB74EA45CF92
            Function 03020185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 46fac5cfdc2465a455faea5fc8b24fdb1a31ab0b285cfc2a0598bbae3f8133e1
            • Instruction ID: 4743608e8d87761e80ee85a923cec317566d2e19ee6231732189b8306b1afc56
            • Opcode Fuzzy Hash: 46fac5cfdc2465a455faea5fc8b24fdb1a31ab0b285cfc2a0598bbae3f8133e1
            • Instruction Fuzzy Hash: 6EA1BFB4B03729DFDB24DF65C990BAABBE9FF44314F044529EA059B281DB34A815CB50
            Function 030660E0 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ebd8382ca90ccc6b86a6de2e0f8731e271a2e1599b555d06988fa491938703da
            • Instruction ID: 34434208f2424a8293a3aef79657aa5dc255e83e2ec2e5653d3177bb2ae42d7c
            • Opcode Fuzzy Hash: ebd8382ca90ccc6b86a6de2e0f8731e271a2e1599b555d06988fa491938703da
            • Instruction Fuzzy Hash: 3F91C671D0162AAFDF15CFA8D890BBEBBF5AF48700F154159E511EB344D73AE9008BA4
            Function 02FFE3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e387c5487f692d5148756241d89778a59c694be240c18f27651f48d6dda0288
            • Instruction ID: 4e6741e396376a28d212ff93346c26ada676c158d84c10194fc5bac444b18c0f
            • Opcode Fuzzy Hash: 2e387c5487f692d5148756241d89778a59c694be240c18f27651f48d6dda0288
            • Instruction Fuzzy Hash: 1591DF76A016158BD7A4DF58C980B7EB7A2EF84794F0940A9EF05DB3B0E734D901CB91
            Function 02FE1131 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aecc74de7f6605d3d58ded72b753769bd859b29c3a7ad35fe00f8059ddf5bcca
            • Instruction ID: 0b4439b502f61abe1488ff9eca75066502658cfe635bc9901643ed4ad3108a5c
            • Opcode Fuzzy Hash: aecc74de7f6605d3d58ded72b753769bd859b29c3a7ad35fe00f8059ddf5bcca
            • Instruction Fuzzy Hash: BFB12175A093818FD755CF29C880A5AFBE5BF89304F18496EF99ACB352D331E845CB42
            Function 03014750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: 147e771769a6b35563f5829aac499790bf7aca205fa8bbcc292eeb8aa46ee2dc
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: 70814036E063968FDB11CDADC8C036FBBB5EF52340F2C49BAE8429B251C264D855C795
            Function 0302DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: af15d84d63f6175e3ffc087ebcb2d9b07303fe37b0d449c67ef16d962e43611b
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: BE913D72611A16CFDB65CF29C885766BFE0FF55324B288A19D4FADB6A0C335E911CB00
            Function 030AF7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7833c9582b678ba3dd7c981c8a28c5c7265fad4dae2f823010ee8fb0b2fc8ebb
            • Instruction ID: a89679cc7224171c4fd22e39bee958a497afb54b499e79bb3c84e1b08cdccb0b
            • Opcode Fuzzy Hash: 7833c9582b678ba3dd7c981c8a28c5c7265fad4dae2f823010ee8fb0b2fc8ebb
            • Instruction Fuzzy Hash: 9D91F371A05A07ABDB50DFACDC807AAB7E5AF84310F188578E854DB291D774E911CB90
            Function 030AF43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc9093c1b63bd356b08409f8efda840db3b3e78bee7c59327e00ff08845e433a
            • Instruction ID: 18d3f90535830f6314d6c3f6c49d5297c1bafbd6ecfb63b03d99add3379495c7
            • Opcode Fuzzy Hash: dc9093c1b63bd356b08409f8efda840db3b3e78bee7c59327e00ff08845e433a
            • Instruction Fuzzy Hash: C691DF72A0151A8FCB08CF6DD8906BEBBF1FF88314F1982A9D815DB395DA34E901CB50
            Function 030A81CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 35dddc2cec46028e59c8b9ea16bb1f6e46af9d6e4236af7b2d8d1f36f9dba76a
            • Instruction ID: 846059de8cb6c81df43c1577c15438e36ad6935b1948bb6a416d09ecb1b1cfc5
            • Opcode Fuzzy Hash: 35dddc2cec46028e59c8b9ea16bb1f6e46af9d6e4236af7b2d8d1f36f9dba76a
            • Instruction Fuzzy Hash: 4881F472E019159BCB14CFADD8805BEBBF5FF88310B18876AD825E7280E7349951CB90
            Function 02FF0E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 31b67af057b6badd65e774e537f77307757c30221cff472e713c62cd0cc2a906
            • Instruction ID: ecded166dcc255da8f1eb9d67f5669346b04305c6a129d2c7e4cf71d5ea3bdcd
            • Opcode Fuzzy Hash: 31b67af057b6badd65e774e537f77307757c30221cff472e713c62cd0cc2a906
            • Instruction Fuzzy Hash: FF81C675E00119DFCB54CE59C8809AFBBB2FFC5390B29C299EA149B35AE730D901CB90
            Function 0309E4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 744fb16256f6d30e7f8c9ee8916ff1d88854b987d87a8d215861aab29af670c8
            • Instruction ID: 1baa855985da3c2d6c430429f26cc535f7bf0bb5f574956c7ca5b9399735fa38
            • Opcode Fuzzy Hash: 744fb16256f6d30e7f8c9ee8916ff1d88854b987d87a8d215861aab29af670c8
            • Instruction Fuzzy Hash: 9A81BE72E012159BDF18CF98C9806ADFBF1EF89310B1981AAD816EB381D7309D41DB90
            Function 030AAB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: 6344d565329ab5712bee8390080f4a1799075ee890a48fa751d89cdf3f7e95f4
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: 2C818D75B11A099FDF58CF9CD880AAEB7F6AF84310F188569D8169B385DB34EA01CB50
            Function 0300D090 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction ID: c033b27391e4c31daf1c2a0abcdfcebc315f602bf064bc8ca9b991973ed638fb
            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction Fuzzy Hash: E8815CB6E021159BEF24DF9CC9807EDF7B2FF84304F19857AD815AB284DA319A41CB91
            Function 0301E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8336d6cd92fbce997ccf58372039c2775a55cb1c56e7ccc9c60ff6deef16c85e
            • Instruction ID: c725951e96608b8de97f9a9f59576a83bab07abf539b14fd2da88777583d872b
            • Opcode Fuzzy Hash: 8336d6cd92fbce997ccf58372039c2775a55cb1c56e7ccc9c60ff6deef16c85e
            • Instruction Fuzzy Hash: E8816F71A01609EFDB65CFA5C880AEEFBF9FF88350F144829E955A7250D730AC55CB60
            Function 0300B950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f4afa631dc76f0c6fc17b421dafd3e229ff68fa44885e813c3ff6ec5abaac3bd
            • Instruction ID: d7bc80845ef4f620959651c9380bd9245a4b06c3b12141cfb96efff7c8dd9f4e
            • Opcode Fuzzy Hash: f4afa631dc76f0c6fc17b421dafd3e229ff68fa44885e813c3ff6ec5abaac3bd
            • Instruction Fuzzy Hash: 0A7125743067108EF764CF2AC94077AB7E6BB85744F18896DE896DB1C4C736E902CB60
            Function 02FFC640 Relevance: .2, Instructions: 206COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d0cc9b0ae4abe02637b0029949213661e27f72e08994d14b8455566d8424663f
            • Instruction ID: 27dd5cc372113de2af7e0a27137ae9a6bf378bd7e6759d058fd333cbce599ad9
            • Opcode Fuzzy Hash: d0cc9b0ae4abe02637b0029949213661e27f72e08994d14b8455566d8424663f
            • Instruction Fuzzy Hash: 2871D1B6D066299BCB25CF59C8507BEFBF4FF48740F14856AEA42AB360D7359900CB90
            Function 0309DAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 119845541af65a5f266e93c3dcd451a845e70b0a05b5ab1422578006ec691859
            • Instruction ID: 10356de16a17dc6add7080e24389d6f26059a8791c465d3d388419dac20565b8
            • Opcode Fuzzy Hash: 119845541af65a5f266e93c3dcd451a845e70b0a05b5ab1422578006ec691859
            • Instruction Fuzzy Hash: 52818BB0D42686DEEF24CF6AC441AAAFBF5EF49700F04849BE495AB245D378D841EF50
            Function 030A70E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfecec4d398dc96127845ec77f358f4cda583e650f5b0fb39491a9483ecc9583
            • Instruction ID: bb0e3109e552f38202e69e8fc9612376605335edb27aeb924ce74db83d5bfc00
            • Opcode Fuzzy Hash: dfecec4d398dc96127845ec77f358f4cda583e650f5b0fb39491a9483ecc9583
            • Instruction Fuzzy Hash: 2A61F575E01A169BCB11EFEDD8909BFB3B9AF44B04F088439ED11A7240EB74D9418B90
            Function 02FF260B Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 48342794cfa66a803a753f553ff5b0720d4b1954612745ab2555292fb3729896
            • Instruction ID: d023978b79705b810674af6757b6da3b94e7a4e0ab6064e788bec6ec46c59183
            • Opcode Fuzzy Hash: 48342794cfa66a803a753f553ff5b0720d4b1954612745ab2555292fb3729896
            • Instruction Fuzzy Hash: 6471FF76A042418FC351DF28C480B2AB7E5FF84340F0885AAEA99CB361EB34DD45CF91
            Function 0309F0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14702df76f0cfae90f23c1a150e53d926219baa86ec623e3a2d839d188a4891c
            • Instruction ID: 34b152ec5dfbb0bb15fa8b9c6687f4c74e5e613e2d24be73ecf3c5831dcd9830
            • Opcode Fuzzy Hash: 14702df76f0cfae90f23c1a150e53d926219baa86ec623e3a2d839d188a4891c
            • Instruction Fuzzy Hash: EF717F79A02613DBEF64CF59C08027AF3F1BF44716B68446FD892DB240D774A991EB90
            Function 0306035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: 214149ef9d0a6f6b7523199e56d8701d0bddf36fd430791acc00f156e26a0e93
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: C8716D75A01619AFDB10DFA9C984EDEBBF9FF88300F144569E605EB250DB34EA41CB90
            Function 030762A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d352454873e4f15612c4512dc60b59915be3dbd00e46014889860b7524d94fac
            • Instruction ID: a1d97b603500a24e3b1184dec198b047d3625bafe6bb5d0b946272d6fb06b69b
            • Opcode Fuzzy Hash: d352454873e4f15612c4512dc60b59915be3dbd00e46014889860b7524d94fac
            • Instruction Fuzzy Hash: F2711532A02B09AFDB32DF54C844F6AB7F9EF44750F144818E6578B6A0D776E844CB58
            Function 030A7A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8d8ada4b456496352933bc155413806a0ac1f6df79d4813fe7f219e59c6e60d9
            • Instruction ID: dc11149369da0ac5586ed23ea1374d7ea121543d6919cb6e770039062d4e6d84
            • Opcode Fuzzy Hash: 8d8ada4b456496352933bc155413806a0ac1f6df79d4813fe7f219e59c6e60d9
            • Instruction Fuzzy Hash: F6515975A016295BCB14DFEDD880ABEB7E6EFC8710F188569EC51DB381DA34C902C7A0
            Function 030A132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 694eca1efb4885cea9c89b87f915fa2f780ecf033be79d853d7ce7fd4872fa4e
            • Instruction ID: 9fc3560b6431f5570cb3f74fe50288702263fc6500da57c21dcad216ac7513ef
            • Opcode Fuzzy Hash: 694eca1efb4885cea9c89b87f915fa2f780ecf033be79d853d7ce7fd4872fa4e
            • Instruction Fuzzy Hash: 3C818075A01605DFCB09CFA8C480AAEB7F1FF88310F1981A9D859EB355D734EA51CB90
            Function 030A903E Relevance: .2, Instructions: 186COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d0aeba587d7a95236f7ef03a5274ded238393db8e8acec552932a97f8cc433c
            • Instruction ID: 7d54f0379434d6ff542d027d42dd9d8bdf14d836f2708c45b8c73c399e5c7032
            • Opcode Fuzzy Hash: 2d0aeba587d7a95236f7ef03a5274ded238393db8e8acec552932a97f8cc433c
            • Instruction Fuzzy Hash: B261AD75302B19AFD755DFACD884BABBBE9BB84350F048619E8598B240DB30A510CB90
            Function 030AFCF2 Relevance: .2, Instructions: 181COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d5f13ba34f426a7140883be333cbddffaeb7f2b4722186f2ca77981651f693a8
            • Instruction ID: c376224e8365968d6f20d4d6bb2c2d559e396ee346713e7496d2d01d86e4ed6e
            • Opcode Fuzzy Hash: d5f13ba34f426a7140883be333cbddffaeb7f2b4722186f2ca77981651f693a8
            • Instruction Fuzzy Hash: 2761AF31A0160BABCB54DFACDC80BAEB3F5FF48310F148569E555EB280E774A915CB54
            Function 030A92A6 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5a26a660387f04f7458dee8d2c99429d0e6d607fe3d4338d5e56149608235054
            • Instruction ID: 30c1027f2b44d76d9ac7f34ca1323ce9bfcea6da39fbb85ae00160cfc174badc
            • Opcode Fuzzy Hash: 5a26a660387f04f7458dee8d2c99429d0e6d607fe3d4338d5e56149608235054
            • Instruction Fuzzy Hash: 7A610632306B458BD351CFACE894BAAF7F0BF80704F18486DE9858B691DB75E805CB81
            Function 030ACE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: a5144c13528d9587c6dabd027ee99ebeb1c8e312212f1c6e839aba21e44b15b0
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: 38516932606F029BE755DE6C9860B6BF7D6AFC0350F0E846DE956CB249DB30D80987D1
            Function 0040FFD3 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: cb82c97ff7d367e4163dcb8121e241573915eba7e2d6b2e26530696aa99b62e3
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: 0A5183B3E14A214BD3188E09CC40675B792FFC8312B5F81BEDD199B357CE74E9929A90
            Function 02FDB2D3 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e31a6d3ddd5927e14ba9d068e056b5a6d27043f48e82bfe7173cc4ca5c4a3873
            • Instruction ID: 87a6d50395bedbd6f01f130ca19c2a17d6ca9abf92d1ec4d067b05c32258a2d3
            • Opcode Fuzzy Hash: e31a6d3ddd5927e14ba9d068e056b5a6d27043f48e82bfe7173cc4ca5c4a3873
            • Instruction Fuzzy Hash: 814126316427009FDB26EF15DD80B6AB7EAEF457A4F1A4469EB19DB290D730E810CB90
            Function 030A7D73 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a40ab91a7aa82962799b19f020eb1e78805844bd44f7294b60a3408c5307e63c
            • Instruction ID: 2d7533c057281f17cfa00179243b83dcf739bfe48b05ad4a361532a03240b426
            • Opcode Fuzzy Hash: a40ab91a7aa82962799b19f020eb1e78805844bd44f7294b60a3408c5307e63c
            • Instruction Fuzzy Hash: F551B336A1114A8BCB08CFACD4806EEB7F5EF98314B19827AD815DB355E734DA15CB90
            Function 02FF3740 Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1db87168ab2167844eedcd3def5efa06c35f6f093b93badf586cf90f1c0bbb39
            • Instruction ID: fe12120146cf073c7a3533cce9f50e87decaf6e84e009c80baafddbbdf0d48c6
            • Opcode Fuzzy Hash: 1db87168ab2167844eedcd3def5efa06c35f6f093b93badf586cf90f1c0bbb39
            • Instruction Fuzzy Hash: F1512576E0569A9FC751CF68C880B69B7B0FF04790F0542A5EA45DB360E739E991CBC0
            Function 02FE7152 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c10793b0b56daed063f2b9fb1bf141c06a86c7bd9337dabecccdbd47f910c59
            • Instruction ID: 609c0f3173f16ce0e160922c14bbaf073ae76fdb82440f7866d246576f687411
            • Opcode Fuzzy Hash: 7c10793b0b56daed063f2b9fb1bf141c06a86c7bd9337dabecccdbd47f910c59
            • Instruction Fuzzy Hash: 9E511071A0160AEFEF0AEB64C944BAEF7B5FF44351F144069E60397290DB789A51CB80
            Function 03063A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c241a02cd642088e1c99337eba19e35407ef374790ef31843e3f135b5c6f8d7
            • Instruction ID: 8e1f4342fad3ead8502f1e28cffe3c2f13588142830245056036938ed8cca8c4
            • Opcode Fuzzy Hash: 3c241a02cd642088e1c99337eba19e35407ef374790ef31843e3f135b5c6f8d7
            • Instruction Fuzzy Hash: D2518C36E4121D4BEF24CA58D461BFFB3F2EB84310F48085AF915BB3C0C6B66946D694
            Function 0305D800 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a244b0788ed4e67f18c17cdfdf1166974e08cc33eefd9b1d06a4392076dcaf1c
            • Instruction ID: 60710a8eb269207dc131e5cc6b764d31a714f34ec5989f28bbd7e5e26d929f94
            • Opcode Fuzzy Hash: a244b0788ed4e67f18c17cdfdf1166974e08cc33eefd9b1d06a4392076dcaf1c
            • Instruction Fuzzy Hash: B151CC78A02216EBDB64DF69C490ABFB7F8FF45700B1841ABED41DB690E7349950CB90
            Function 030AD26B Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction ID: 0fb231a405921f24559aa46a8d206027440b74a51365344ff84cff6cecd2a290
            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction Fuzzy Hash: 865149726097429FD710CFACD890B9ABBE6FBC8344F08892DF9949B640D734E945CB52
            Function 030A7571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 13e5447ac0fe10ad296d20bdb3cf9df07d63de36ab4f8e42116038045cee1797
            • Instruction ID: 55a3f09c0ed9fde6ee7344624bb01c3b76ba493a4b880d525f8bc6f1753fe12d
            • Opcode Fuzzy Hash: 13e5447ac0fe10ad296d20bdb3cf9df07d63de36ab4f8e42116038045cee1797
            • Instruction Fuzzy Hash: 5251C331A02519ABCB15DFECE8447AEFBF9FF88744F488569E901E7250DB749911CB80
            Function 03073140 Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a2b933221d030b8a44b86f0aed7aaab46dab44fce6eef8ecf2446b3db77d2b62
            • Instruction ID: 28f8ae324647515a1a45e34dd4bfdbd1f0bc7f5a33bcec3eedf4414cfb9194eb
            • Opcode Fuzzy Hash: a2b933221d030b8a44b86f0aed7aaab46dab44fce6eef8ecf2446b3db77d2b62
            • Instruction Fuzzy Hash: 1D51CD76A05241DFE721CF18C840AAAF7E5FF88314F0989A9F9549B250D334E945DBCA
            Function 02FE51ED Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d54902a0a4cffda724baf3a31f02fbf54f18a1a90aec2242fce90c9f4ec2e783
            • Instruction ID: 0de161a5d6330b0c8fc125505cab3f1d3a6ce0f0038621d1bb2d394d88338b64
            • Opcode Fuzzy Hash: d54902a0a4cffda724baf3a31f02fbf54f18a1a90aec2242fce90c9f4ec2e783
            • Instruction Fuzzy Hash: 9B518E71B02214DFEF22DBA8C940BEEB3F6AB44798F540029DA06FB251D7B59940CB51
            Function 03065BF0 Relevance: .1, Instructions: 145COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 201959b53b0cf42c518358a45ed152cbb49842d47cfce973e0572c6cea92b9ae
            • Instruction ID: 4053494dd77ad0159a6b6b2a5ff7dc9b0a25dee929fb7ae129ab425091ac3693
            • Opcode Fuzzy Hash: 201959b53b0cf42c518358a45ed152cbb49842d47cfce973e0572c6cea92b9ae
            • Instruction Fuzzy Hash: BC415B31B433199FCB65FFB88C125AE76E19F86B24B04052ADD02EF349DB7589004B95
            Function 0301F71F Relevance: .1, Instructions: 143COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7752132fa7f289a03b459239611fa89fd3b41d360ef1ba9c908de12f788908e3
            • Instruction ID: fda5c7ae0189ae0bc9b0de2b6676f90dfbdc8fd5cbed591764b2bf7f9b0e37ad
            • Opcode Fuzzy Hash: 7752132fa7f289a03b459239611fa89fd3b41d360ef1ba9c908de12f788908e3
            • Instruction Fuzzy Hash: 14418AB6D0622AABDB12DB988880AEFB7BD9F44750F4505A6E905F7601D634DE1087E0
            Function 030101F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c2d18a3d0798909d6509c95245f38b6008d5639e3e06ae3c7bc6ad64f4297b7
            • Instruction ID: 319f6f8a29da912bc0ca3335ac46dce765335881e66efeaf339d139ceef8391e
            • Opcode Fuzzy Hash: 3c2d18a3d0798909d6509c95245f38b6008d5639e3e06ae3c7bc6ad64f4297b7
            • Instruction Fuzzy Hash: 1341CF35D02215DBCB14DF98C840AEEF7B8BF48710F18815AE855FB250D7359D91CBA8
            Function 03022750 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction ID: 9cd934b840fbfae84e4372912d64426eef00120bfb9931eea72b025689a8e4ce
            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction Fuzzy Hash: 75516C75A01615DFCB55CF98C480AAEF7F6FF84714F2882A9E815AB750D730AE41CB90
            Function 0305D1C0 Relevance: .1, Instructions: 135COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction ID: 144093a55656cd7d1eccc7a0866ef38a99bd169894d2a76e0a2ef5d88da0fcfe
            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction Fuzzy Hash: 1A511775A05206DFCB58CF68C4816AAFBF1FB58314B18856EE819A7345E734EA80CF94
            Function 02FE6154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ec6117c81f4d1512d799f069e29d97e992572d256c09883c6fb1d428f4fb234b
            • Instruction ID: 2ba0f73ea4a5fd68bcc4c4413c31cf649381f9fc769983fc77485c79ba8208d9
            • Opcode Fuzzy Hash: ec6117c81f4d1512d799f069e29d97e992572d256c09883c6fb1d428f4fb234b
            • Instruction Fuzzy Hash: E351F770A0121ADBDF66DB64CC00BA8B7FAEF11358F1482A5D626E72D1D7359981CF40
            Function 02FDB136 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d241b9d8c8e71653e6fdf6245adafe6c66ae6b7f759334a1d048cdcc96725f73
            • Instruction ID: dce6cbe7ec0c7d3efbee3cc5e35f9460a56a81740558dac43775a4991e47c9ac
            • Opcode Fuzzy Hash: d241b9d8c8e71653e6fdf6245adafe6c66ae6b7f759334a1d048cdcc96725f73
            • Instruction Fuzzy Hash: 1941C172642301EFEB26EF65C880B6ABBEAEF40798F094469E651DB260D774D850CF50
            Function 030AF0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c54a12e4906169e8383e28acb5fcda7cd7f9a17d3bca95112b138d860ff85b29
            • Instruction ID: 0fa3f8f6f3cde14b70762960d3563e18f5207ff18540d710e4cf14f4c26eb3f7
            • Opcode Fuzzy Hash: c54a12e4906169e8383e28acb5fcda7cd7f9a17d3bca95112b138d860ff85b29
            • Instruction Fuzzy Hash: 8041CF712083458FC745CF69D8A497ABBE1FFC4315F09895EE8958B282CB34D819CB61
            Function 030A866E Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction ID: c1b0bb10222abc9c1fb4a7f18dfa6f1d762b711671b33e3b5c1180b7be9ec1b1
            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction Fuzzy Hash: E3419575B02619ABEB14DFDDDC84AAFFFFAAF88640F188069E444A7351DA70DD008760
            Function 0308D5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7557f3de5cfb0e94ded8a8b1f02323cbecd8dec4ab857ba4cc5610f7cc517c5e
            • Instruction ID: f18d85df3e1eb448fdb6bb4caf10d0ae3dd6ce900f53f7225f9a5638dd3b2b7d
            • Opcode Fuzzy Hash: 7557f3de5cfb0e94ded8a8b1f02323cbecd8dec4ab857ba4cc5610f7cc517c5e
            • Instruction Fuzzy Hash: 51411630A092999FCF14EF29C495BBAFBF1FF49300F09859AD4C58B285C735A466DB60
            Function 0040FFCC Relevance: .1, Instructions: 125COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 27ab9b91d591f589980a3a6e4b39d3379983ec09545a4a8c3d05022d4d241424
            • Instruction ID: b12c426c6bdd355d8c6ef9bafde81f10f764b6dbb7c96a44b0e66400a8da9c09
            • Opcode Fuzzy Hash: 27ab9b91d591f589980a3a6e4b39d3379983ec09545a4a8c3d05022d4d241424
            • Instruction Fuzzy Hash: 9641A272E14A114FD31CCF19CC906767693EFC8312B5A81BEC9064B7ABCE74E9819A94
            Function 02FDA020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 610c99f3f92cb762a88724e5eecde1f51860f8fedd4c2ad5768409881eda9e0b
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: 01412C32B01211DFDB20DEA5C4447BEB7B7EF85B98F5D806AEA459B240D7318D40CB94
            Function 03010710 Relevance: .1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction ID: fe672338d669d1f5c0495bee3ec3ec63e5c96e12cc7b1dadd2c84964c61e529d
            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction Fuzzy Hash: D5416F72A01705EFCB64CF98C980AAAB7F8FF08700B10496DE596DB650D370EA94CF90
            Function 02FE262C Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12a9d95ed67d8ee8ef9a2ed3e22908a6acfdc02baf61883d6f3c9eaca1ef466a
            • Instruction ID: 63206ec49ac75165fdb238dc0f6e93232d82c309cdcc7e9f28a4e08afd345899
            • Opcode Fuzzy Hash: 12a9d95ed67d8ee8ef9a2ed3e22908a6acfdc02baf61883d6f3c9eaca1ef466a
            • Instruction Fuzzy Hash: DB4170B1902708CFCB22EF68C941759B7FAFF45350F148669CA179B2A0EB309941CF51
            Function 030AFFB1 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 025fb3dce4140624d4c5e5cbd87576b1994226e15e08c6bc726ce93eec002126
            • Instruction ID: 9773aa1b4da0f510a5e75ecf6dc0148ac4d06e0cafaca77afd5a0b218bce6a1f
            • Opcode Fuzzy Hash: 025fb3dce4140624d4c5e5cbd87576b1994226e15e08c6bc726ce93eec002126
            • Instruction Fuzzy Hash: 4C412221A152598FD741CB6AC8A06FBBFF1BF85209F0DC1A9DC819B242D739C906C770
            Function 030607C3 Relevance: .1, Instructions: 114COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e5273f9a54b915401d9fe0b82bb39511f2744cf94e03cee2af605e82af15bf6
            • Instruction ID: ef4ef0b2179d0c589bfd61b83daa73d43f89b17b7ab38216c5bc3d152cf29b4a
            • Opcode Fuzzy Hash: 6e5273f9a54b915401d9fe0b82bb39511f2744cf94e03cee2af605e82af15bf6
            • Instruction Fuzzy Hash: 5E418C725093019FD360DF29C844B9BBBE8FF88664F104A2EF998D7254D770D914CB92
            Function 030AFA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 642dc346230abcd97334ff5ee0ea4b9aad7455416bc8331a29e0ae1556afe746
            • Instruction ID: 0b5b9d69da2f7ff001a30fb3b7c8f3d04024da6ed0b218dea4e1340f1718d0cb
            • Opcode Fuzzy Hash: 642dc346230abcd97334ff5ee0ea4b9aad7455416bc8331a29e0ae1556afe746
            • Instruction Fuzzy Hash: 843148767129079BC718CEADEC44AE7BBEAEF94750F088534E909CB284EB74D845C394
            Function 030AEEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a63ea63c4754eb0edd7a6c873cad1de508009af09aceb413ad49b8045090591
            • Instruction ID: 28aa55198f4dc97016c3ed1438aff5ad67e1cf19468d696e17c1fd545cadff99
            • Opcode Fuzzy Hash: 4a63ea63c4754eb0edd7a6c873cad1de508009af09aceb413ad49b8045090591
            • Instruction Fuzzy Hash: E1419233E1542A8BCB18DFACD4915BAF3F5FB88304B6641BDD805AB284DB74A905CB94
            Function 030AFB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bfedf3a1f1e1465407c6c6e3484b6260a58b57b225f20ec6815f0c2b1d19598d
            • Instruction ID: 966b42ed78e316c63014fd3c04cdeebbb0b90d282a021da06584ec3958920c21
            • Opcode Fuzzy Hash: bfedf3a1f1e1465407c6c6e3484b6260a58b57b225f20ec6815f0c2b1d19598d
            • Instruction Fuzzy Hash: 7A31F435612906ABD710DFAEED44A9BBBF9EF88350F448424F908CB240DA74E901C794
            Function 0040E273 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: 11983ca7894a64399670304e395be266cc9e7f5b4c66f456bb3e509b696f35fb
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: 273172116586F14ED31E836E08BD675AEC18E9720174EC2FEDADA6F3F3C4988418D3A5
            Function 02FF02E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: 53aae0c96d2f195229322bcc10c6715995a92cd948733da6d432502ebeac1e26
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: FE312C32A09244AFDB61CB68CC40BDABBE9EF44390F0841B9E955D7366C774D544CB94
            Function 03009274 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6dde8b09cd3150557f64196a4576ae987220886945c355cc45ae1b0ab2bcce0c
            • Instruction ID: 230ccb735fc488f83d42352bf6a10e2c498befc9b7732d26f0c32464c042656e
            • Opcode Fuzzy Hash: 6dde8b09cd3150557f64196a4576ae987220886945c355cc45ae1b0ab2bcce0c
            • Instruction Fuzzy Hash: 35319075A02328AFEB31DB64CC40B9ABBB9AF85310F1501E9A54CAB291DB319E44CF55
            Function 02FE4260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 048d4a74747e7dbeaad46a11abb0f6f715e41fb2f893fc6a5ed1c907a682cd21
            • Instruction ID: e7c91b4b2194e636f5579a35688c33cc0137a556b6ebcc66015d8b3b16affb7e
            • Opcode Fuzzy Hash: 048d4a74747e7dbeaad46a11abb0f6f715e41fb2f893fc6a5ed1c907a682cd21
            • Instruction Fuzzy Hash: 1A41D172201B44DFCB62CF24C980BD7B7E9AF44794F05446DE66A9B290C774E900CB50
            Function 030050E4 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction ID: 913e0934815ce97bf4568171c708a1f0b8d143ebe6f3417b538741a7a3c740d4
            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction Fuzzy Hash: 5C31F43160E3419BE761DA1CCC007ABB7D9AB8A790F0C8569F885CB2D0D274C941CBD2
            Function 030A61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20e044bb7d32c5fb22767ea8f9194ec3850f623c01e3c3e797f39f3b4be43a19
            • Instruction ID: e090b67ffc8416436d7916660b43ae5bf275302bf609ac38bd0fd15215ab068a
            • Opcode Fuzzy Hash: 20e044bb7d32c5fb22767ea8f9194ec3850f623c01e3c3e797f39f3b4be43a19
            • Instruction Fuzzy Hash: 1C31E475A01A19ABDB15DFD8DC80FAEF7B5EB44740F494168E900EB244D774ED40CB94
            Function 02FD9730 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 34516f9acd3db40ca5f0d0d614b0902aba077b1d873a4e5583b4419c7550c869
            • Instruction ID: 54f413e189203bf7b4063877bb04d77e4a0e1f65ba313c4ad31195523e7271b4
            • Opcode Fuzzy Hash: 34516f9acd3db40ca5f0d0d614b0902aba077b1d873a4e5583b4419c7550c869
            • Instruction Fuzzy Hash: BE21F536A017189FC322DF98C800B1ABBF6FF84B94F190969AB559B750D7B4EC00CB90
            Function 030A6BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2cca2277a04582ce0b41b7de49a1e78281adc1eb545d994e3f9161dea83e8db3
            • Instruction ID: ca0833c041722f9ab6be1a5a560449b108f7fc203f50d3f27f811cabbb96ba06
            • Opcode Fuzzy Hash: 2cca2277a04582ce0b41b7de49a1e78281adc1eb545d994e3f9161dea83e8db3
            • Instruction Fuzzy Hash: B3319E316012049FCB14CF6EE8C5A5B7BF5FF48340F898569EA08DF249D671E915CBA8
            Function 030A60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc21ee7a52212651660fb0c6cd1a57ced0f175b5963b46a8431956a62fed49ca
            • Instruction ID: 40b0f821c1e95bd2918f3e0b248e0e18e5c4da340dbb5db55f3ce4b0eeb543a8
            • Opcode Fuzzy Hash: cc21ee7a52212651660fb0c6cd1a57ced0f175b5963b46a8431956a62fed49ca
            • Instruction Fuzzy Hash: 7731D175602A09AFDB12DFEDDC50A6EBBFAAF44350F0C00A9E641DB352DA31DC008B90
            Function 02FE07AF Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d548f65174e32df58f6ad73529dd719c15f3a8e599777be30984747616f54fcf
            • Instruction ID: ffb442d8a83bdc827f2c3c5fa5403cd89e41df2cb0ce159082900d08ded1ea85
            • Opcode Fuzzy Hash: d548f65174e32df58f6ad73529dd719c15f3a8e599777be30984747616f54fcf
            • Instruction Fuzzy Hash: 36310232A05212DBCB13DE24C880E6BB7E6AF84290F05452CFE66B7210DE70DD01CBE1
            Function 0042EB93 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2211cd311da02781c3ed66e3c9bc9b49fb4fcc51d5dbcf77691a79c07fcca0c4
            • Instruction ID: e319cd8de85734efbda9e1b1f8f0033bc769bcc5d3a52c45e50546647f6f9ad2
            • Opcode Fuzzy Hash: 2211cd311da02781c3ed66e3c9bc9b49fb4fcc51d5dbcf77691a79c07fcca0c4
            • Instruction Fuzzy Hash: 6C31C372B106265BD754CE3AD880656F7E5FB88310754863AD919C3B40E778F962CBD0
            Function 02FDD6AA Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction ID: 14d477482f97001056fed7d10d025308a01f0f2775c3630a178d1e46d96eeeee
            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction Fuzzy Hash: C631A577B01208AFDB62CE58C980F6AB7AAEF84794F1D84A9EF059B250D374DD40CB50
            Function 00403190 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261491242.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6b6cd9dc3d750a9233353202b53d788ef110e8aefd15fcfea0e40704a5215a5
            • Instruction ID: 564a7d5041aa79710a59763745fa428c1a5d1bf3eb07469460f77839e1ee6d8b
            • Opcode Fuzzy Hash: d6b6cd9dc3d750a9233353202b53d788ef110e8aefd15fcfea0e40704a5215a5
            • Instruction Fuzzy Hash: EF31C272A14B108FD368CE7DC841653B7E5EB8C310B418A2EE85AD7B80D778F901C784
            Function 02FE57C0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 228692c66a1da6d68750cb1b8595f54c2e274eeae889b3a10ccd64c97a9071a7
            • Instruction ID: 18307bbcb6ed8b1e5c10a3c34c6f9069f748d9406c74a082fee82945a7c87371
            • Opcode Fuzzy Hash: 228692c66a1da6d68750cb1b8595f54c2e274eeae889b3a10ccd64c97a9071a7
            • Instruction Fuzzy Hash: D6318F36716A49AFDB52DB24CE40A99BBA6FF84344F445069EA5287A50D730E930CB80
            Function 0301A6C7 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction ID: 5b6f842f493137129e0bc2fe1eadd8c1d3d459de88a08105cbb1c95fb21da7b2
            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction Fuzzy Hash: 05311C72B02B01AFD7A4CF69DD41B57B7F8BF48B50F18492DA59AC3650E630E900CB60
            Function 02FE92C5 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction ID: 0515d8b0264da70bad83699686e5f6809f34da8603662004e6023d7e2ee5d2fd
            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction Fuzzy Hash: 8A317CB66093499FCB02DF18D84095ABBE9EF89390F0409A9FD55DB3A1D730DD04CBA2
            Function 0300438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c01c0b991e18a8861db874052e378d52518f56fd15e327590f31112646bd373f
            • Instruction ID: b83f8c0bf6897aa280b1ad491222c5f66ec4474469fc48e8081097f67481f14e
            • Opcode Fuzzy Hash: c01c0b991e18a8861db874052e378d52518f56fd15e327590f31112646bd373f
            • Instruction Fuzzy Hash: 6D31D431B023459FEB10EFBAC980A6EB7F9AF84304F008529D645D7694D735E941CF94
            Function 03037190 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction ID: dc0eaf94d67cd75548c845233d419ebbfeab9146f5133e481970e4d67a519885
            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction Fuzzy Hash: 97317C76605206CFC750CF1CC48095AF7F9FF8A710B2986A9E9589B315E730ED06CB91
            Function 0309C3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: d8cffa2a556322dc8f89b853d834f72aa5b5353f0cb8f4f1a56486ba4a815c53
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: 5421F73EB01651A6EF14EB958800AFEF7B5EF80710F44801BF9968AA91E635DD50D7B0
            Function 02FDC156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c46329b502c62b995742903991722b4aa876dfef34fd01fe2af7dcf6f33659d
            • Instruction ID: 5069adec1eada160461ac19c06a8c6baec37e62063955ccbdb0d667c259d2346
            • Opcode Fuzzy Hash: 9c46329b502c62b995742903991722b4aa876dfef34fd01fe2af7dcf6f33659d
            • Instruction Fuzzy Hash: 56313B755022108BCB61EF24CC40BA9B7F9AF41354F9885A9DD859F351EB34D985CF90
            Function 030B03E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8bd998ad5aada14f83c6932d131a499059a47d97307544674505ade5d13d9b99
            • Instruction ID: 9f2b728662354d1824d467e83e95bf005a5e7f1ff5ddda2cf93bcdc877b59121
            • Opcode Fuzzy Hash: 8bd998ad5aada14f83c6932d131a499059a47d97307544674505ade5d13d9b99
            • Instruction Fuzzy Hash: B33173B5B02119AFCB04DBA9C894ADFBBF9FF88204F414169E905E7200DB706D14CBA4
            Function 02FDE388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: 07ce40355d5a62ef3835251a615bcf93d799640fe9a62068c4b577cb529fd03d
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: 53319F36600644EFD721CF68C984F6AB7FAEF85394F1845A9E652CB690E770EE01CB50
            Function 0305E609 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 599bae5bb0e385dad1be4cb45598e01adf838dc7265d037be08f7eff911eac76
            • Instruction ID: d3d2dfb7514042a382e665a9b68c1d2009bfe0ce241dc17fa017d73c85cc1354
            • Opcode Fuzzy Hash: 599bae5bb0e385dad1be4cb45598e01adf838dc7265d037be08f7eff911eac76
            • Instruction Fuzzy Hash: B0317E79A022099FCB14CF18C8809EFB7F9EF84384B154559FC899B390E771EA51CB94
            Function 02FE3616 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52e8101d385ae438b0cf8b7fe476fed9d283d63eef87e2402effdf50fd9986cb
            • Instruction ID: e0f3ab32d456beaba9ed6a423fb7f7c14604761b8bc00a9cfb40896007c58c92
            • Opcode Fuzzy Hash: 52e8101d385ae438b0cf8b7fe476fed9d283d63eef87e2402effdf50fd9986cb
            • Instruction Fuzzy Hash: B821E3716063589FCF229F14C958B3ABBE1BF80B94F450499EA424B761C771E844CF81
            Function 030B0591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7989f8f5e89ef431dd53f10719e010bd139b7e841139718e2d93fd46bd7bd38e
            • Instruction ID: 97986703578bbc39ef1cb123aba6ba0f2b3724f0aa89f877fa518b07251ea288
            • Opcode Fuzzy Hash: 7989f8f5e89ef431dd53f10719e010bd139b7e841139718e2d93fd46bd7bd38e
            • Instruction Fuzzy Hash: 3C21EF326022058FD768CE29D880AEBB3F6EFC4300F9988B8D904DB695DB74F855C790
            Function 0300F32A Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction ID: cf798ef88748d12e87458334a3dc6d7ef39b7ffb6c2ac30a6294548f1250a51e
            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction Fuzzy Hash: 8F21D4722022019FD729CF25C441B6AB7FAEF85360F15416DE5068B390EB70EC01DB98
            Function 0306019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e145e085da187eb1c4c7f1ef5091cb0b752352c9acdeb37801238b08f169034
            • Instruction ID: 31d76a7ec7844038748865d8cc86870326320a5f4ff4f2ef7f6ab1341261ed14
            • Opcode Fuzzy Hash: 6e145e085da187eb1c4c7f1ef5091cb0b752352c9acdeb37801238b08f169034
            • Instruction Fuzzy Hash: 7F219C71601645AFD715DB68DC80F6AB7E8FF88780F1800A9FA05DB6A0D638ED40CB64
            Function 03019660 Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ac7211fdcfe3b21146dbaae2241ffe05f5466cc84e08f800174c6d80deee807
            • Instruction ID: 33faf0add5116ed2c51944d0c59faca4391ed43ce74124ea72cd46836cc3cfb9
            • Opcode Fuzzy Hash: 5ac7211fdcfe3b21146dbaae2241ffe05f5466cc84e08f800174c6d80deee807
            • Instruction Fuzzy Hash: 7021F9311237489BCF71EA25CC20B2B77EAAF40364F144B59FD93465A0D736E861CBA1
            Function 03060283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c7de3d4168f1a5a04963ef08ab89460faa366e725f6c25a904e867c4b2f68488
            • Instruction ID: 21198258e16aac28a2c0f061dd49d69a06042cc31b5fcd954eb85504fd9e334e
            • Opcode Fuzzy Hash: c7de3d4168f1a5a04963ef08ab89460faa366e725f6c25a904e867c4b2f68488
            • Instruction Fuzzy Hash: F121A17294A3859BD711DF59C944B9BF7ECAFD0240F080456BA80C7265D734D944CBA5
            Function 030871F9 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba0196536458870209147484ee5157b9c8113ce768dfa864bd802e4a8cfca409
            • Instruction ID: 99a2cc0795327974a120d5ac2404567f0163f2e4b70f21d5e1fc8fc07dc542c5
            • Opcode Fuzzy Hash: ba0196536458870209147484ee5157b9c8113ce768dfa864bd802e4a8cfca409
            • Instruction Fuzzy Hash: 99212531A067408BC321FF698880B6FF7E9AFC0B14F24496DF8E687158CB70A8458791
            Function 0305D0C0 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction ID: 898c46a72ae351366284e4d30bf44db423216fc4392de254262a6e5bff5dfde2
            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction Fuzzy Hash: AD21CF72645704ABD321DF1CDC41B5BBBE5EF88760F04062AF949DB3A0D330E8008BA9
            Function 030B01AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0cdb3ac4630eb458654f3b63df5ca812cfc5ee966da6854e15ffca5c0eb07ca
            • Instruction ID: c50fdc06beb053685ed9af246246baab4f997823146822b41797b069bda711db
            • Opcode Fuzzy Hash: b0cdb3ac4630eb458654f3b63df5ca812cfc5ee966da6854e15ffca5c0eb07ca
            • Instruction Fuzzy Hash: 5D21D2713082588FD746CF1AC8F94B6BFE5FF9622970A81E6D884CB342C524980AC7B0
            Function 0301A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4630d497b4241ba1f14bb992aae883f92c579375fdf9846e43924151b5434eae
            • Instruction ID: e7d2d14e7349519e2ff46c5a3e27eff14cf209e4850a026f206e7ce5a8119d5f
            • Opcode Fuzzy Hash: 4630d497b4241ba1f14bb992aae883f92c579375fdf9846e43924151b5434eae
            • Instruction Fuzzy Hash: 9621CF392427419FCB25DF29CC00B46B3F5EF48744F1484A8A909CB761E331E852CF98
            Function 030780A8 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
            • Instruction ID: e425a357f6370aa44515e359f3c02cfb71a8db937c2e004267585ac35e0aa4e2
            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
            • Instruction Fuzzy Hash: B1216A72A00209AFDF12DF98CC45BAEBBBAEF88350F214899FA14A7250D734D9508B54
            Function 02FDB765 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 97fd2542c687aafda80402243e1844f7858a4840394af7df708d275e4cbe8dce
            • Instruction ID: 730a9ac4ab2e277831e1294d656a032a72070e3ec3564881623b2e16855ee993
            • Opcode Fuzzy Hash: 97fd2542c687aafda80402243e1844f7858a4840394af7df708d275e4cbe8dce
            • Instruction Fuzzy Hash: FD216972542640DFCB22EF68CD40F59B7F6FF08748F194968E206876A1CB35A851CF44
            Function 030AEE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d8bbcd8af322dbf6ed9223dd37653748a3dbe4bd68602975a45b6cf6236ae8f
            • Instruction ID: 593f75fe45208e498ac8a759f1fb9afa622cf5f72f2b45f49f5357854d97eb00
            • Opcode Fuzzy Hash: 4d8bbcd8af322dbf6ed9223dd37653748a3dbe4bd68602975a45b6cf6236ae8f
            • Instruction Fuzzy Hash: 2621E133A118119B9B18CF7DD84056AF7E6EFCC31036A427AD912DB6A4DB70B911C688
            Function 03010124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: bb4973695843b76e242e8570e7a734abf4ba69de54476a1522e248122edce462
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: 5811E272642704BFE722DF88CD81F9ABBB9EB84750F144429E6448F190D675ED94CB50
            Function 02FE8770 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 83db8710a677a02b9beac81105ca25683066632a620e9c51333840049a219c73
            • Instruction ID: 90fdd8dbe295c5b978d1f59d589b2627297f2fba45f57ecf43239e09a11c667f
            • Opcode Fuzzy Hash: 83db8710a677a02b9beac81105ca25683066632a620e9c51333840049a219c73
            • Instruction Fuzzy Hash: B611C831B016189FCF12DF49C9C1A16B7E6AF467D4714406DEE0A9F215D7B2D901C790
            Function 02FE80E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a8696e0cc156ab845b3b35386acd1cfee84549f4616ebecf0cea0800c3929f7b
            • Instruction ID: 80cff7c6b11968246abf898311342b8633a3843c1703adf4a989a942f2687cb1
            • Opcode Fuzzy Hash: a8696e0cc156ab845b3b35386acd1cfee84549f4616ebecf0cea0800c3929f7b
            • Instruction Fuzzy Hash: 03218E32A40205DFDB15DF58C580A6EBBB5FB88398F20416DD205A7320CB75AD06CB90
            Function 0306D080 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 856a2e9204424a9bc2f706b3a1f75686afdb5905af7aca2340d73bc0c3a0ec7b
            • Instruction ID: c24361e3152b8c8b66e19c7aeaa1cdda023c8451c2b2674e0e863f843912d7a9
            • Opcode Fuzzy Hash: 856a2e9204424a9bc2f706b3a1f75686afdb5905af7aca2340d73bc0c3a0ec7b
            • Instruction Fuzzy Hash: E2112571252244ABC732EB28DC50F2677E9DF857A4F1904B8FB044F6A5DA35D841CB90
            Function 0301674D Relevance: .1, Instructions: 65COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: db9adb7397e1c881f4ece0ecae5f4ac1673002e1475330291a8d5c1988a82c74
            • Instruction ID: e6feede43c07dfad64435f00b6e3d65db126daca7bb394f7ae3e93f72678a3d2
            • Opcode Fuzzy Hash: db9adb7397e1c881f4ece0ecae5f4ac1673002e1475330291a8d5c1988a82c74
            • Instruction Fuzzy Hash: CC214D75502A04EFC760DF69DC81B6AB7E9FF44250F44882DE9AAC7250DA71A860CB64
            Function 02FD9240 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2327c9a8bb5cbbd6305eddc0b3fee3d1cc6e8c35455024393c3a0279b6e6b373
            • Instruction ID: 7b3bde8521ce5ce55bec9ace4183f8c21910f215c7947a9727c17c402518e5b3
            • Opcode Fuzzy Hash: 2327c9a8bb5cbbd6305eddc0b3fee3d1cc6e8c35455024393c3a0279b6e6b373
            • Instruction Fuzzy Hash: 4A112F3A013244AAC324AF51E801B627BE8EB99B80B544065ED008B298E739DC12CF29
            Function 030166B0 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a52815da9d08244989eb5609c40b6c8fb8523d9ccfe7685e61189441bb973876
            • Instruction ID: 0e859609fa4febc6a454cb5f173ad0021730c87384c0b21fa1c7c322e3d67fd9
            • Opcode Fuzzy Hash: a52815da9d08244989eb5609c40b6c8fb8523d9ccfe7685e61189441bb973876
            • Instruction Fuzzy Hash: 7611CE77A03208DFCB65DF59D990A5BBBF9AF84750B0A40B9EE059B320D635DD10CB90
            Function 0306D250 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a953bfcdadbb0f49e4d07336acafb13e746dc22a061003f853d118090bb91f61
            • Instruction ID: 78c8c6a13f8ed5350896dff6c6580e1cb83c2fc2c72fd77460c9c5f3faba8003
            • Opcode Fuzzy Hash: a953bfcdadbb0f49e4d07336acafb13e746dc22a061003f853d118090bb91f61
            • Instruction Fuzzy Hash: 2301497371320513C661E655CC94BAFF2D9DFA87A0F590534BF164B359DA29CC4186E0
            Function 030AFF09 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d76142b1ea14618f8611723dbbd9ab489517ed149a64ff43e72420256732e44
            • Instruction ID: cccd924bab7a3dc188e99c2461bb026f3ddd0a597e550ceb36022e56ddd9c8fa
            • Opcode Fuzzy Hash: 9d76142b1ea14618f8611723dbbd9ab489517ed149a64ff43e72420256732e44
            • Instruction Fuzzy Hash: 3B2172B1A112059FD754DF2AE8C4B42BBE4FB4C210B8585BAE90CCF646E7B0D854CB94
            Function 0306E7E1 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
            • Instruction ID: 42185a64124ff2b92d2e8a712bb64a8fc9814e920f4a0785bb0a0dafea7af586
            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
            • Instruction Fuzzy Hash: D211C139602700EFDB61DF45CA40B5AB7E6EF41740F098428E90D9B168D770DC40CBD0
            Function 030027ED Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 845fb85878115e9850543bbe3505b08089c1f27819e6745fb95fdfc3169bffee
            • Instruction ID: 3fba80728d8767f4d10cbb6836f3e43994a5c12512926469494cc7a412222828
            • Opcode Fuzzy Hash: 845fb85878115e9850543bbe3505b08089c1f27819e6745fb95fdfc3169bffee
            • Instruction Fuzzy Hash: 6D01C476787684ABF316E2699C88F6BB7DDEF80398F0944B5F9018B690D964DD00C361
            Function 0300B052 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 369c5e83225c68d4ecd75b81814e974f347df91f969b9ef93fe38c423105a1d5
            • Instruction ID: 92f5a87c9a07e9cbb444ab8a26eed918612854da2d135d4005a19106d20036c1
            • Opcode Fuzzy Hash: 369c5e83225c68d4ecd75b81814e974f347df91f969b9ef93fe38c423105a1d5
            • Instruction Fuzzy Hash: CD01B976B053446BE710EBAA9D81FAFBBE9DFC4614F040439E605DB181D770E9018661
            Function 02FE4690 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e60f8cec03929c34f4b5f6d5835f4e865b46579ca2d22e3baccb63ac01f21288
            • Instruction ID: aa579aaf0ece76436b4469fdf91a9efc3fe50b0631f96f38b797316f11bc814d
            • Opcode Fuzzy Hash: e60f8cec03929c34f4b5f6d5835f4e865b46579ca2d22e3baccb63ac01f21288
            • Instruction Fuzzy Hash: C711E036601648AFDF22CF59D841B5677B5EB85BE8F00011AFA069B250C330E800CFA0
            Function 03016620 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a765aa52bba6d1192e9de5762091981c66e9f4212019d9a01ee96a97179a19c9
            • Instruction ID: 3f5a8241115bffe788190f4572a3296335992a39c4ea09b6feb6c6199e927d18
            • Opcode Fuzzy Hash: a765aa52bba6d1192e9de5762091981c66e9f4212019d9a01ee96a97179a19c9
            • Instruction Fuzzy Hash: D511A072A02719ABCB22DB98CD80B5EF7F9EF84780F950454DE01A7200D731AD118B50
            Function 02FD7330 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 89a71c0d221ebca28c4342c8d9255e1ed0db7cfab5c624f4a8fded7079556ba5
            • Instruction ID: 54322667a4afa3243f60b8f60e3b57744706a41e1b7a7834ce0f737407b8ff58
            • Opcode Fuzzy Hash: 89a71c0d221ebca28c4342c8d9255e1ed0db7cfab5c624f4a8fded7079556ba5
            • Instruction Fuzzy Hash: 3E118272A41714DFD721DF59C841BABB7E9EF44398F094429EA95CB211D735EC00CBA1
            Function 0300F2D0 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 695d1d93570819ea2d8d43b917bff45b25ad18d6e445d9ca7015895ae916b80f
            • Instruction ID: f5034af8ac8f041ed22f623d7235de94001d5904f084e95d4d879a471c082afe
            • Opcode Fuzzy Hash: 695d1d93570819ea2d8d43b917bff45b25ad18d6e445d9ca7015895ae916b80f
            • Instruction Fuzzy Hash: 5F1125726027489BC720DF69C884BAEB7E8FF44710F1804BAF901EB291DA79D900CB50
            Function 0306E75D Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
            • Instruction ID: 5cd521da606bfdc08618a34afd247a146b3dc87c154930ca921a164c4a2b4f77
            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
            • Instruction Fuzzy Hash: 8C01F53A602304AFDB61DF54CE00F9BBBEAEF80B90F198425E9059B264E771DD40CB90
            Function 030772A0 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction ID: 6b36e228c61130be0e7df3751405ed5c7702a0a8a4de51229a62570071fdf12c
            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction Fuzzy Hash: 4101F176141609BFDB12EF56CC90EA2FBAEFF847D0B040925F210465B0C731ACA1CBA8
            Function 02FDA250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: 373a3c3f195d2708967d89d4611d146f0524e1dc2fa6d4b3981b2d5e7dae97f8
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: 1701F9729057119BCB308F16D840B767BF6FF457A1718892DFE958B690D731D400CB64
            Function 02FE6259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b5d964b0c0b42cf57cece460057a2dea537119af6ff5d093da7b4766b30a6fd
            • Instruction ID: e4a19d6d9554cddb1eb9f0304489a1440f957e91ea19ebc4aac2721329f03751
            • Opcode Fuzzy Hash: 7b5d964b0c0b42cf57cece460057a2dea537119af6ff5d093da7b4766b30a6fd
            • Instruction Fuzzy Hash: 4F115E7554222CABDF66EB64CC51FE9B6B8AF44710F5045D4A315EA0E0DB709E81CF84
            Function 0305E1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 687beb5b8c74937c2dd346d0df1a13d91aa84e58b4095fdc914f0de3156b090b
            • Instruction ID: ee7707ad57245b84c76d06e2cdd344e259303901dd6231540e093526e7caa740
            • Opcode Fuzzy Hash: 687beb5b8c74937c2dd346d0df1a13d91aa84e58b4095fdc914f0de3156b090b
            • Instruction Fuzzy Hash: 93117C35242640EFCB26EF18DD90F56B7B9FF84B94F1400A5FA059B6A1C635E901CA90
            Function 02FE208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: 6cc2ac1f145b1ded7af31f88d47476e7c50ab5148f25f44649d236617b5b9433
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: 91012833A012018BDF12CA19DC80BA2776EBFC4B40F1944A5EF028F29AEA71C881C790
            Function 03066050 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e685faa474ad0a8e7f72c04a5a44503d749e853b18824c928f11b4fdd2f63151
            • Instruction ID: d9fb88ad425903d1fcd1dabcebd215cc942d59f7d6dc85c3377b2ccbe857628e
            • Opcode Fuzzy Hash: e685faa474ad0a8e7f72c04a5a44503d749e853b18824c928f11b4fdd2f63151
            • Instruction Fuzzy Hash: 2711177690111DABCB15DB94CC80DEFBBBCEF48254F044166A906E7210EA35AA14CBA0
            Function 02FDC020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: 3d07d3ca1d31889fa279c80a1d700b90d222471c361c4afa6a47d41484a00046
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: B301D4322017459FDB22E666C804EA7B7FEFFC5794F49881AEA46CB540DA70E502CB60
            Function 030220F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c828d298f837b85b6f9ddbe6b03f47eab27d4e6bd3e0503621516f0dbb91666f
            • Instruction ID: 90e562198adb843803d23b704e4475b54b1444233d1a71bfccf376c3367d04bd
            • Opcode Fuzzy Hash: c828d298f837b85b6f9ddbe6b03f47eab27d4e6bd3e0503621516f0dbb91666f
            • Instruction Fuzzy Hash: 6C118075A0225CAFDB45EFA8C850FAF7BB9EF84340F004499F9019B250DA35EE11CB90
            Function 02FD9353 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction ID: 66fea513086e4b29b840713bd74876dba1b1b1f1bdfb2c0b707f47d4cee2286a
            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction Fuzzy Hash: AD11C432901B02DFD7319F55C880B22B3EAFF407A6F19886CD6994B4A5C3B5E880CF50
            Function 030033A5 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction ID: 84ac4a4ca42c67e36dbe3d287e49a4c3d5f9de084060919132d63b8c6fbf7427
            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction Fuzzy Hash: 1901D63A702205A7DB17DAAADC40E9FBAAC9F84640F150469BA15DB5A1EB30E911C760
            Function 0301D1D0 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction ID: 08f793bded03bf1e6e397e2f1816eb4c9f31cf956c96e3440505e2aae73097ed
            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction Fuzzy Hash: 1D01F776A032449BD711DA58E800FBAF3A9DBD5724F148155FE358F280DB74D911C791
            Function 02FD826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6b89d61bde71246ca913a6b49e77bae46b743d1574646f4553238a9e60a7807
            • Instruction ID: c19fb30760f15ccf28d9b7ca91a450aeb3872de8016b69e7004f93ad7a0fbfe3
            • Opcode Fuzzy Hash: a6b89d61bde71246ca913a6b49e77bae46b743d1574646f4553238a9e60a7807
            • Instruction Fuzzy Hash: C101A736B02604DBC704EB6ADD00AAF77FAEFC0294F1D40699A029B644EE70DD02C695
            Function 02FFE016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: c571ed5a5c06899de57379d9b88873c4b926e10aa4a536d9b3e42c1d5670d193
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: F5017CB22016849FD362C61DC948F2A77DDEF85B94F0D04A1FA05CBAB1D7B8DC40C62A
            Function 0309F367 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54781486a3aeaa5120fd815770c411fe41647813181e76ac43605673700d918a
            • Instruction ID: 1cc502bf2b90050481c7abebd2f9fdb9f862de572f1ea2d037820a38f38beaa4
            • Opcode Fuzzy Hash: 54781486a3aeaa5120fd815770c411fe41647813181e76ac43605673700d918a
            • Instruction Fuzzy Hash: F4018475A11358ABDB10EFA9D855FAEBBB8EF84700F044066B901EB280D6B8D900CB94
            Function 030A972B Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
            Function 030B5636 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb66201babf0b4fa15d381211233e87c537c39b177e97d981431c440248b04eb
            • Instruction ID: c278d48e587be694cb0f58d62fdf7b9f3ce18a9dabb3b5aa68f395423b22e984
            • Opcode Fuzzy Hash: eb66201babf0b4fa15d381211233e87c537c39b177e97d981431c440248b04eb
            • Instruction Fuzzy Hash: 3F118078D01259EFCB04DFA9D440ADEBBB4EF08304F14849AB915EB350E774DA02CB64
            Function 02FDC310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: 4c07374e37fd24b8b720a85a967245a17adf663051a9bc335ea46558a88f2950
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: FBF0F673749A229BC73356698C40B6BB69B8FC1BE4F1E0037E3099B244CA608C02DBD4
            Function 030B5152 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b483ca0b6d34f4daa6348c87c07817594c79be274adc71127f75207e29aa3788
            • Instruction ID: e8b1abd59d7e77db23166bb0829d0769e8741d1fca20e35d997feb2d781db570
            • Opcode Fuzzy Hash: b483ca0b6d34f4daa6348c87c07817594c79be274adc71127f75207e29aa3788
            • Instruction Fuzzy Hash: 09017175A1120C9BDB00DF69D9409DEBBF8EF48300F10405AF900E7340D674EA018BA0
            Function 030B5060 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 270c9f3f51fdcc000dc837a115f5ca67f3db0d70a7c6eea594d41e69c0b3d2e3
            • Instruction ID: 31e4223dc07b29f390ba585de6550004e26e90a811f7a7bd89f656ae8a9455d8
            • Opcode Fuzzy Hash: 270c9f3f51fdcc000dc837a115f5ca67f3db0d70a7c6eea594d41e69c0b3d2e3
            • Instruction Fuzzy Hash: A1017175A1135C9BCB00DF69D9419EEBBF8EF48300F10405AF901E7341D674E9018BA0
            Function 0300C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: e08ca6f0edfd27ac94d34a6d3bb012f4ed41e0e1a1316b4981a931ea3263f48b
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: 13F0C8B2601614ABE324CF4DDD80E57F7EADFC0A80F048228A515CB220E631DD04CB50
            Function 030B50D9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8032016f1ecdcf5b4993d8688edf026f4d86cf809ae5c1300c143f6962b76554
            • Instruction ID: 9aee52e4d2d5fdda13af9cf939ad588a9d41ec2f212bfb6f16db728b9541890d
            • Opcode Fuzzy Hash: 8032016f1ecdcf5b4993d8688edf026f4d86cf809ae5c1300c143f6962b76554
            • Instruction Fuzzy Hash: B6012CB5A0121DABDB00DFA9D9419EEBBF8EF49350F50449AFA01F7390D674E9018BA4
            Function 03015734 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction ID: e9921912268cbdd6effdc9e8536e2a6c13757b9a035220a925417125935b0da0
            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction Fuzzy Hash: 42F0DC73A02214AFE319CB5CDC85F6AF7EDEB86690F094069D500DF230E671DE04CA94
            Function 0309F78A Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 217227aa22602836add8d670e077ec71b944b030084bcc463bbd8fdd3ac6051e
            • Instruction ID: 16ee05da986aa736093c3195caba597da5090f67faf2afea7a75d9ced7032a2f
            • Opcode Fuzzy Hash: 217227aa22602836add8d670e077ec71b944b030084bcc463bbd8fdd3ac6051e
            • Instruction Fuzzy Hash: 130140B4E0134E9FDB44DFA9D441A9EBBF4EF48300F10805AA905EB350E674DA00CB60
            Function 030663C0 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction ID: 407ca2cfaa2ed697888e21355993bbc7f2e6535ab82c629a7d2d9ae40be848df
            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction Fuzzy Hash: 14F0127210111DBFEF019F94DD80DEFBB7EEF452D8B114165FA1196160D632DD21ABA0
            Function 0309F2F8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4dd3308d6297a9f7dc72687425c7b0f1f764997229a890084f86f75026daab6
            • Instruction ID: 8f257a14a7e7484bc2c3b7323dd20c428e244b02e0f6e76d5c560b98ae159302
            • Opcode Fuzzy Hash: b4dd3308d6297a9f7dc72687425c7b0f1f764997229a890084f86f75026daab6
            • Instruction Fuzzy Hash: 68F0C876F11358ABDB04DFB9C805AEEB7B8EF48710F00809AF501EB290DA74D9018B64
            Function 030B61E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: df592e2b1cdba1806d328a0ec23090c044142e2d1066ce524501b40dcf5b6231
            • Instruction ID: e676aa5fd7b33ff464284700823f6ef03e05085ab7789aa792f539a396eb06c4
            • Opcode Fuzzy Hash: df592e2b1cdba1806d328a0ec23090c044142e2d1066ce524501b40dcf5b6231
            • Instruction Fuzzy Hash: FA014F71A0165D9FDB04DFA9D855AEEBBF8EF48310F14405AF501AB390D778EA01CBA8
            Function 0301724D Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction ID: 1aa611c4146f408228e8e65a5762df1cc8b63028d9de97e9d905a9ba22a20731
            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction Fuzzy Hash: 20F0F675A033656BEB50DBA98940FEEFBE8AFC0B10F0885A5F9019B540D630EA51C750
            Function 030B53FC Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f66b7635d1e7e7c4300a440bc7e14cb8ecbf5138ccedf79c19a0bc883fd973c0
            • Instruction ID: 8bd4fa8795043477900c4f8a684708573f782f2306065ff077750b8a6c7aaa08
            • Opcode Fuzzy Hash: f66b7635d1e7e7c4300a440bc7e14cb8ecbf5138ccedf79c19a0bc883fd973c0
            • Instruction Fuzzy Hash: CE015E74E012099FDB44DFA9D441B9EFBF4FF08300F1481A9A519EB381EA749A008B90
            Function 02FDC0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7e17edad2ceb9cfc3048ed0c9c342e1a92603ca8146b0b54aea0cdd207cdc3ce
            • Instruction ID: e8d7af33db099aa49f7c04211f4e655bce90a557b536b31ea295844eec24f4b2
            • Opcode Fuzzy Hash: 7e17edad2ceb9cfc3048ed0c9c342e1a92603ca8146b0b54aea0cdd207cdc3ce
            • Instruction Fuzzy Hash: B6F096737042515BF615A6159C01B63729BDBD07D5F298067EB058B690EA71D801C2A5
            Function 030B3749 Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction ID: 2d10dd9e6df41fc5052cf331a6e875d38429678b1cabdd2ad207cf53ead8978e
            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction Fuzzy Hash: 2EF04FB6941204BFE721EBA4CD41FDBBBFCEB44710F100566BA56DA190EA70AA44CB90
            Function 0308437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: 9c409199a45568d160f170b922105569b65a0ecf8f0cbf9f04eda30a00307dbe
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: AEF0E935343E1357DBB5FB2B9850B2EF2D59FD0B50B49052C9591DB680DF10D8008784
            Function 02FD92FF Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb6c5987bce89d6efb48cfe90677523ee024dc0ad078a14cb0c7eb1a84cc1b53
            • Instruction ID: 0840c46db17c75bfa0e4833954df2053ebd08e9665a7c96ff9d99307aa32fbad
            • Opcode Fuzzy Hash: eb6c5987bce89d6efb48cfe90677523ee024dc0ad078a14cb0c7eb1a84cc1b53
            • Instruction Fuzzy Hash: 6FF09032200644ABD731AB59DD04F9ABBEEEF84750F190559AA4693190D7A1A905CA50
            Function 0309F3E6 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 701ee8e19bff23c803ac42bb9137fd03949654db56555a0db158a516172c32be
            • Instruction ID: 4c01b2a6518f860abe3cb7b468b0143b6ef73fc931d3600db0fb057b15345fbc
            • Opcode Fuzzy Hash: 701ee8e19bff23c803ac42bb9137fd03949654db56555a0db158a516172c32be
            • Instruction Fuzzy Hash: FEF0AF75E0224CEFCB44EFA9D545A9EBBF4EF48300F40806AB945EB381D674EA00CB54
            Function 02FE47FB Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fac18ed091aac08a5d25a29b8137aa33f695359c261994e41334c2600629b612
            • Instruction ID: d0e15a01877b90c646829b5873a62279ad14eff7c824a5a6df72f10e026485a2
            • Opcode Fuzzy Hash: fac18ed091aac08a5d25a29b8137aa33f695359c261994e41334c2600629b612
            • Instruction Fuzzy Hash: 15F09A32E166E09EDF23CB69C454FA2B7D49B00AE4F0D89AED7BB87511C724DA80C650
            Function 030A0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14a9c1df3fccff26806dff7023e11c0c4d0a55773945d8ffdb6bd428607e6691
            • Instruction ID: 16840524eb00ffd2833a622bc08a969311dbff94e3b09d08aab76410283e2b87
            • Opcode Fuzzy Hash: 14a9c1df3fccff26806dff7023e11c0c4d0a55773945d8ffdb6bd428607e6691
            • Instruction Fuzzy Hash: D0F0276A817B8C06DF61EB6CB8A02D1EBD89781114F4D108AC8A25B204C57A8493C624
            Function 030B539D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 891716f1d4451bb84e836944f900a91e97991358b9376e9822758c871a79afc8
            • Instruction ID: b37bc66f5abca473dfb85b39d37e4968906940cfbe2bdb479ee36da524279c34
            • Opcode Fuzzy Hash: 891716f1d4451bb84e836944f900a91e97991358b9376e9822758c871a79afc8
            • Instruction Fuzzy Hash: 05F0B474A1134C9FC704EF79D441E9DB7F4AF44700F1080A8E501EB380DAB4D9018B24
            Function 030B5283 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c7b7bfbb0fb4aafe6be78c7e3bc5da651e3ee708913804e5e857c471b9eab67c
            • Instruction ID: 30d7aed37bddb203b7cfaace5fa60afc319d877abff4e12d86c5b3f776ba988d
            • Opcode Fuzzy Hash: c7b7bfbb0fb4aafe6be78c7e3bc5da651e3ee708913804e5e857c471b9eab67c
            • Instruction Fuzzy Hash: 1BF0BE74A12348ABDB04EFA9D901EAEB7F4EF44300F004498A941EB281EA78E9008B54
            Function 030B52E2 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ffd2d2a6130ce14937f920f730c1fdb659178853011102718ab8de9ad3f915a5
            • Instruction ID: 994bda892466d7e52f088b44d8abe651997f2c7ee6ae5f88a17fd4a945a07cf1
            • Opcode Fuzzy Hash: ffd2d2a6130ce14937f920f730c1fdb659178853011102718ab8de9ad3f915a5
            • Instruction Fuzzy Hash: 34F0B474A113489BC704EFB9D941EAEB7F4AF44700F044498A501EB380DA74D900CB14
            Function 03022619 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction ID: 5ba5d1d87234ce8b2bf4dd7e06c19ae4f3f6af9b1c77647f747db57a9f4beaab
            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction Fuzzy Hash: 37E092723016102BD7519E59CCC4F577BAE9FC2B10F440479BA049E251CAE69C1987A4
            Function 030B5341 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74b09c83d77764f65d64016ac7b4849a8f2a09aebae0c14603aa7d9d9033bc6a
            • Instruction ID: 5052ae0f27d58847f1aa11f63552ba00150edc7a18a4878a91da770b81df30bc
            • Opcode Fuzzy Hash: 74b09c83d77764f65d64016ac7b4849a8f2a09aebae0c14603aa7d9d9033bc6a
            • Instruction Fuzzy Hash: ADF0A7B4A02248ABDB04EBB9D955EDEBBF4EF49744F540499F502EB3D0EA74DD008728
            Function 03017208 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3b3be41005958ed4786ec20b1efb348018b35f7d039518bfb7071a946fe0c736
            • Instruction ID: a5a8845f32a67d65783e1ce38d954814470c84e66956c820d6f5a9ec9c7e99c5
            • Opcode Fuzzy Hash: 3b3be41005958ed4786ec20b1efb348018b35f7d039518bfb7071a946fe0c736
            • Instruction Fuzzy Hash: 20F0A0719136949FDBA2DB1AC184BE3B7E89B01B70F1D85A1FC198B513DB68D8C4C650
            Function 030B5227 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf37dfdbe0392c72a0d7c15229ca5a6331f2d9388401fc432a5801e654359376
            • Instruction ID: cede0994bfd1914d08cad030026a8ef9c8b41bed9121c16ef7b3b7692c16232b
            • Opcode Fuzzy Hash: cf37dfdbe0392c72a0d7c15229ca5a6331f2d9388401fc432a5801e654359376
            • Instruction Fuzzy Hash: DAF02770A12348ABCB04EFB8E901EAEB7F4EF44300F040098BA01EB2C0EA74D900C758
            Function 030B51CB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c7f7e658206bd5a12917149a30a92a3037f2530a0f02dfc1cff32f4b60921994
            • Instruction ID: f82bddd7a5e7f5f5e9d044ba5d41dfd45f9c9569c23b550a957d239b00d80793
            • Opcode Fuzzy Hash: c7f7e658206bd5a12917149a30a92a3037f2530a0f02dfc1cff32f4b60921994
            • Instruction Fuzzy Hash: 6AF0AE74A1225C9BDB04EBB9D915E9EB7F4EF44304F140499F941DB2D0EA74D900C754
            Function 0305D070 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction ID: 02ac4c8724891b32308d31a209597f804e89ed5bf3268c2d6ae6512c1db9283f
            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction Fuzzy Hash: C5F02B3350561467C231BA4D8C15F9BFBACDBD5B70F10035ABA249B1E0DA70E901C7D6
            Function 0309F72E Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f31a3de5568542173af847c8d32da2e6a3f57f38c07bfd2889f091642ed8de2e
            • Instruction ID: fa605c7814cbcfa303a51ba771b27b3bb87bea6650a4880b454212320c60072c
            • Opcode Fuzzy Hash: f31a3de5568542173af847c8d32da2e6a3f57f38c07bfd2889f091642ed8de2e
            • Instruction Fuzzy Hash: 86F0A775A02749ABDB04EFB9D959E9FBBF4EF48704F040099F602EB2C0D974D9019719
            Function 03076030 Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
            • Instruction ID: e4d169df48c07f97850e1de38e032631a6a72a94174ff22161e48bf727f94f6a
            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
            • Instruction Fuzzy Hash: F9F03072505608DFE720CF05D984F57BBE9EB05364F45C465E60A9B560D37AEC40CBE8
            Function 030B37B6 Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction ID: 2b1475234cc3ca5104b48218a76579b652c95c98f4dace63e4b35d8ab83b37ee
            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction Fuzzy Hash: 7FE06DB2251250ABD7A4DB58DD05FE6B3ECEB40760F240298B215970E0DAB0AE40CB60
            Function 03064000 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction ID: 7b87db86dffa6d5701116494ae69070bef90fbcf4b2610cb36ccfb781d442167
            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction Fuzzy Hash: 8EE0C2343007168FE755CF1AC044B62B7F6BFD5A10F28C068A8488F309EB32E842CB40
            Function 02FD823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: 4e3695017511ccf344d5043cac1fa54ddea2fdd4fc6178c2c82e7ee2d32792e8
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: B1E0C232602A20EFDB726F15DC00F917AEEFF94BD1F194C69F2810A0A48770AC82CB44
            Function 0309B3D0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction ID: 7ebd066ee0cbb893867f563cbc6ea3b88d179f60b79f1114ea259e6e0ffe5929
            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction Fuzzy Hash: 62E0CD31245114B7DF226A40DC00F697756DF407E0F104072FB085A650C571DC91EAD4
            Function 030692BC Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dd665bc91592570bb7cbb44d790b1a9fee3fe79143257b26ca94b96cc118e746
            • Instruction ID: c7998f15e3db39d4fbf5b0b2326f4a69743c294494ec40df12eed18ed56086b0
            • Opcode Fuzzy Hash: dd665bc91592570bb7cbb44d790b1a9fee3fe79143257b26ca94b96cc118e746
            • Instruction Fuzzy Hash: 0DF0E534252B80CFE71ADF08D1E1B6173F9FB85B40F540498D8468BFA6C73AA942CA80
            Function 02FE2050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b71da8974df0ccac85f4e3c2561692edd69fa24298e6c30b8c3b56d04dbcf8b
            • Instruction ID: c2fb2ed1f2bfa5ea259ba460702ab7192bc66f85506ef2a084466f1cba826b82
            • Opcode Fuzzy Hash: 7b71da8974df0ccac85f4e3c2561692edd69fa24298e6c30b8c3b56d04dbcf8b
            • Instruction Fuzzy Hash: 22E08C321014946BCA12FA5DED10E5A739EEFA43A0F010225B651972A0CA24AC40CB94
            Function 02FDA0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: c88edbe467e4c9d00fdcbbf4f303af486fbb7594c463022c4b818ab52490de9e
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: 03D0223331607093CF2856606C14F6379079F80AD4F0E00AC360A93800C1048C82DAE4
            Function 02FF02A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: 5d0386875cdf999ed141212c1d94ac39dbed238c591032c348a0e04f3eda8ff8
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: 4ED0C975652E80CFC75ACB0DC5A4B2533A4FF44B84F8548E4E601CBB36DB2CD940CA10
            Function 0306930B Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction ID: b23e5ece555fd5fba1c0022dac226ba2342a417b5dc8356a85cead19bf22ee00
            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction Fuzzy Hash: 85D05E35942AC4CFE727CB08C165B507BF8F745B40F890098E04247FA2C37C9984CB00
            Function 0301C700 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction ID: 65766055705f67a9106f5f9af42c5cdf74f000255fb5eac2a273710f03bbfc09
            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction Fuzzy Hash: 7EC01232150644AFC7119A94DD01F0177A9EB98B40F010061F30447570C531E850DA44
            Function 03000310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: 2aa95dd5f88554cbe6dcee5b00beb24e8f3105f6643271fbdaed630b0c36192e
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: 0FD01236100248EFCB02DF51C890E9A772AFBC8710F108019FD190B6508A31ED62DA50
            Function 02FE0750 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction ID: ebc09ee24b0da7294b2947201930ff7e3d291ce6661bcd8744fc8c82f6f282fd
            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction Fuzzy Hash: 3FC0487A712A858FCF55DB2AD694F4977E8FB44780F1908D0EA06CBB21E664E802CA10
            Function 03024340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5a90e2950ac59564da3333199581fca6ed52fdaa9ea5cec07be660a7b39fd826
            • Instruction ID: 709bcaeccebc97e6b7371385014e2658b043a331d2bab08c86d8c4ffe27d884e
            • Opcode Fuzzy Hash: 5a90e2950ac59564da3333199581fca6ed52fdaa9ea5cec07be660a7b39fd826
            • Instruction Fuzzy Hash: 84900231606C0412A140B1588884546405997E1301B55C051F0428554C8B148A5A6361
            Function 03023010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfc1e135a93924e01d35220d5fa1e068953be285c9610826b71e3198430b7e0f
            • Instruction ID: e5f6556f6cd02ec2f4db9ffff6acacf182e4fe5cacc1b6edcbb3d68109b233c9
            • Opcode Fuzzy Hash: cfc1e135a93924e01d35220d5fa1e068953be285c9610826b71e3198430b7e0f
            • Instruction Fuzzy Hash: 99900221202C4842E140B2588804B0F415987E2202F95C059B415A554CCA1589596721
            Function 03023090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a725447f49fa7a97a3a5d09e4d168afef880bfd0f9455b07207cfb0bfe3bb46b
            • Instruction ID: 03e1b064fc3ee434a869fc7cb05cf4eb3565d1d91e6dfdb17c12332a2a7a6eb3
            • Opcode Fuzzy Hash: a725447f49fa7a97a3a5d09e4d168afef880bfd0f9455b07207cfb0bfe3bb46b
            • Instruction Fuzzy Hash: 2390022124280C02E140B158C414707005AC7D1601F55C051B0028554D87168A6976B1
            Function 03024650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 33403d723d5fb26d785116439aea343d584693d58b7c144a7c4ed11ada2eadaf
            • Instruction ID: 2231961ee8a76327dce745efc7827b63a826026c8d81d964a373de2c24ca78ff
            • Opcode Fuzzy Hash: 33403d723d5fb26d785116439aea343d584693d58b7c144a7c4ed11ada2eadaf
            • Instruction Fuzzy Hash: 09900261602904425140B1588804406605997E2301395C155B0558560C87188959A269
            Function 03022B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 75c16c0add7b645f8d5831277a7f62550f4237ff558d2ce0c5a205270cd9e9c1
            • Instruction ID: 6c36cbd19d4b73b093bb2a02531d396c88df3777bc04d589852f7e0fbd0e0bc9
            • Opcode Fuzzy Hash: 75c16c0add7b645f8d5831277a7f62550f4237ff558d2ce0c5a205270cd9e9c1
            • Instruction Fuzzy Hash: 9390023120280C02E104B1588804686005987D1301F55C051B6028655E976589957131
            Function 03022BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0951fe517f8be5123c675ded89e3b9ca1247f81a487cc8f7368aee75fe4d6e66
            • Instruction ID: e803cdd3d935d6d8b344a9b0c14f4715be502085a8abef133700f942847a2ca9
            • Opcode Fuzzy Hash: 0951fe517f8be5123c675ded89e3b9ca1247f81a487cc8f7368aee75fe4d6e66
            • Instruction Fuzzy Hash: D690023160680C02E150B1588414746005987D1301F55C051B0028654D87558B5976A1
            Function 03022BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 08f3e477535bfb371c0333597676e8e4a57fd0814c0f0d0779a9083998f070bd
            • Instruction ID: 74e7f356f3c27240e2f4023ec7ade43ee08f1d46840a08f532d1aa28bdc1deb9
            • Opcode Fuzzy Hash: 08f3e477535bfb371c0333597676e8e4a57fd0814c0f0d0779a9083998f070bd
            • Instruction Fuzzy Hash: 3690023120684C42E140B1588404A46006987D1305F55C051B0068694D97258E59B661
            Function 03022BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 513ee7ff72e37862a281d4548ce1c28e017dffda3235dc3347058507e47f2c9f
            • Instruction ID: 22e617f4aaa89324a8704c4f3645dc1c29162258aeea93874e964d526eaedb82
            • Opcode Fuzzy Hash: 513ee7ff72e37862a281d4548ce1c28e017dffda3235dc3347058507e47f2c9f
            • Instruction Fuzzy Hash: A790023120280C02E180B158840464A005987D2301F95C055B0029654DCB158B5D77A1
            Function 03022AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dcf2965e60ff67d00835580345b420ec3eb97b298fb65e47e1d73bd11de38c26
            • Instruction ID: efaf9b1e87d408d6a5ecb03113f0ca2baaf93c22764c12b5a20909d93d606435
            • Opcode Fuzzy Hash: dcf2965e60ff67d00835580345b420ec3eb97b298fb65e47e1d73bd11de38c26
            • Instruction Fuzzy Hash: 969002A1202944925500F258C404B0A455987E1201B55C056F1058560CC6258955A135
            Function 03022AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40df63f21435756f062879e78e041014b7edc861f6a20c63b69b2064db7dcc5a
            • Instruction ID: 25216e2b4fcf317c61420b39a096e3f9454d1f197cd41e85a734eb50c134a9e3
            • Opcode Fuzzy Hash: 40df63f21435756f062879e78e041014b7edc861f6a20c63b69b2064db7dcc5a
            • Instruction Fuzzy Hash: A8900225212804031105F5584704507009A87D6351355C061F1019550CD72189656121
            Function 03022AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20e4099cf57208bd50ab80fbe3f3113fff85d85b02f75109f06bab96a161748a
            • Instruction ID: 0d0d79fcbdbbb92385393fe1b3566d561b259f52ff2dbb4b622891e4b99a3e5b
            • Opcode Fuzzy Hash: 20e4099cf57208bd50ab80fbe3f3113fff85d85b02f75109f06bab96a161748a
            • Instruction Fuzzy Hash: D3900225222804021145F558460450B049997D7351395C055F141A590CC72189696321
            Function 030239B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 57a8feb081fead6fea6629b00a79bb62b45d94008b319480ab49dd1aab5f9a64
            • Instruction ID: 9fe46e2eb082c442688c343ae34063b5486e2fce9c3328cf646e216ae8fb67f9
            • Opcode Fuzzy Hash: 57a8feb081fead6fea6629b00a79bb62b45d94008b319480ab49dd1aab5f9a64
            • Instruction Fuzzy Hash: D190022124685502E150B15C84046164059A7E1201F55C061B0818594D865589597221
            Function 03022F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9bd6633cbd8ac366ffa44835d6721979904c3b5f01ca12685f83934bed639d81
            • Instruction ID: 2aedbbce88a9fe17b2617643a440c63bef068831c67090d83b38b8794aaeaba8
            • Opcode Fuzzy Hash: 9bd6633cbd8ac366ffa44835d6721979904c3b5f01ca12685f83934bed639d81
            • Instruction Fuzzy Hash: 8A90026134280842E100B1588414B060059C7E2301F55C055F1068554D8719CD567126
            Function 03022F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d7f1a994a4c5fe59e6e28000354690c114c9c355d0758ed1f13ffd4358df78ac
            • Instruction ID: af87a7df17f12732e1e98c627730bd81b2d759fbea670c3a4f770f436e908307
            • Opcode Fuzzy Hash: d7f1a994a4c5fe59e6e28000354690c114c9c355d0758ed1f13ffd4358df78ac
            • Instruction Fuzzy Hash: 4D90026121280442E104B1588404706009987E2201F55C052B2158554CC6298D656125
            Function 03022F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e2d8fea67c4119aecfbfb159fe7ce5ffcfdd1cf1b32292889dc39ea95cef1db7
            • Instruction ID: e2700c5c2072d09b3d69998dc106c4fbf52ff47073812a9dfe95efa25fd5152a
            • Opcode Fuzzy Hash: e2d8fea67c4119aecfbfb159fe7ce5ffcfdd1cf1b32292889dc39ea95cef1db7
            • Instruction Fuzzy Hash: 0F900231202C0802E100B158881470B005987D1302F55C051B1168555D872589557571
            Function 03022FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bec9657b93009d49962a3d3cb3cc0bfb03c25a7ec78219b60ed61962c8b704dd
            • Instruction ID: b5fec74d9aa2e0a14987764ff31b5ba089dd3df2b03e38076ad918dc9ef02040
            • Opcode Fuzzy Hash: bec9657b93009d49962a3d3cb3cc0bfb03c25a7ec78219b60ed61962c8b704dd
            • Instruction Fuzzy Hash: 97900231202C0802E100B1588808747005987D1302F55C051B5168555E8765C9957531
            Function 03022FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3a28ade060cc87f7c0328ca97c868271987a141ee91494b3f8cd1420bac318dc
            • Instruction ID: f1565f3689fb971d4777d7a07cb023aa98d3532139884e4f07251d7834f3ecb7
            • Opcode Fuzzy Hash: 3a28ade060cc87f7c0328ca97c868271987a141ee91494b3f8cd1420bac318dc
            • Instruction Fuzzy Hash: A1900221602804425140B168C8449064059ABE2211755C161B099C550D865989696665
            Function 03022FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 302aa20a1e236ec457c7e05bcf8f9bfbd71e3e8a08576f36a0cac29036b24d56
            • Instruction ID: 5615b244c06202d83a8cef2a7c9b24c4d8cf3471482ea0425ef7a74df08d2d43
            • Opcode Fuzzy Hash: 302aa20a1e236ec457c7e05bcf8f9bfbd71e3e8a08576f36a0cac29036b24d56
            • Instruction Fuzzy Hash: 2C900221212C0442E200B5688C14B07005987D1303F55C155B0158554CCA1589656521
            Function 03022E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0f0213e860f4e0b41755460f76bf6f571ce36c1ba260c2e8a8bbdd4a39bbd846
            • Instruction ID: 03ded4c8d2e903b0505ac3d3fa87ed07fc63ee79bea5ec38a4634dcf6817c36e
            • Opcode Fuzzy Hash: 0f0213e860f4e0b41755460f76bf6f571ce36c1ba260c2e8a8bbdd4a39bbd846
            • Instruction Fuzzy Hash: 6C90022130280802E102B1588414606005DC7D2345F95C052F1428555D87258A57B132
            Function 03022E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d2d9204d9c0bc01346749ef25e0a41bf82792f747d575c1349166af1452d2797
            • Instruction ID: afcd91bbf24505683f7193c984c5611a8bc6f3e83c60a273f37bfd439f23021d
            • Opcode Fuzzy Hash: d2d9204d9c0bc01346749ef25e0a41bf82792f747d575c1349166af1452d2797
            • Instruction Fuzzy Hash: 5390022160280902E101B1588404616005E87D1241F95C062B1028555ECB258A96B131
            Function 03022EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 60245b7ab105aee12d122dc7402c9389b1f11bfc42f5660cbd4d05a24eb46386
            • Instruction ID: 03e81f2957d5b1ee94cb696d004641b42c4fe02cb56751e2088156507b5edc8f
            • Opcode Fuzzy Hash: 60245b7ab105aee12d122dc7402c9389b1f11bfc42f5660cbd4d05a24eb46386
            • Instruction Fuzzy Hash: 6990027120280802E140B1588404746005987D1301F55C051B5068554E87598ED97665
            Function 03022EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e39a56244ec3fbdb26c2d852ad0de92926ee3d63fb7dadfc360edb32a06a4a8f
            • Instruction ID: 167267be5ed98d407929290894021219f483958a4c53c9664c0df9f4bb84d8d6
            • Opcode Fuzzy Hash: e39a56244ec3fbdb26c2d852ad0de92926ee3d63fb7dadfc360edb32a06a4a8f
            • Instruction Fuzzy Hash: 45900261202C0803E140B5588804607005987D1302F55C051B2068555E8B298D557135
            Function 03022D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20642d7e5aadcfa701bacffe4fa0b7c555c7c9e9a5847921eb57b691d05e789a
            • Instruction ID: 451696c9bf1cd1fa333a9ae769b60440a1718df04009d24faf66178713895fdf
            • Opcode Fuzzy Hash: 20642d7e5aadcfa701bacffe4fa0b7c555c7c9e9a5847921eb57b691d05e789a
            • Instruction Fuzzy Hash: 9C90022120684842E100B5589408A06005987D1205F55D051B1068595DC7358955B131
            Function 03022D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40708a5429867108cd382ce9f5b7e2a7be97dba139fbe84fa234e9212d71ddad
            • Instruction ID: 4847525013689d74950542cc60a09fe8d410ce54cf810aebb9d8bb8832f10ab0
            • Opcode Fuzzy Hash: 40708a5429867108cd382ce9f5b7e2a7be97dba139fbe84fa234e9212d71ddad
            • Instruction Fuzzy Hash: 2790022921380402E180B158940860A005987D2202F95D455B0019558CCA15896D6321
            Function 03023D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1639bc5e167411f1dd9745335ae71fd4b91d9c4a223151419f7975983c4ea65f
            • Instruction ID: 83a83f94f27b908126380122edcf9ba637038e2dbe35baacb72baa79d304fc12
            • Opcode Fuzzy Hash: 1639bc5e167411f1dd9745335ae71fd4b91d9c4a223151419f7975983c4ea65f
            • Instruction Fuzzy Hash: 9A90023120380542A540B2589804A4E415987E2302B95D455B0019554CCA1489656221
            Function 03022D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 215079f404f7ebb71e4eae497a19a8c8a1e198b474ffd1d32c5dcc7cd40785b2
            • Instruction ID: 1455f266d0720b6e0476ed0ff021a6546655f71d6f8c54831abfcab9752c5dd4
            • Opcode Fuzzy Hash: 215079f404f7ebb71e4eae497a19a8c8a1e198b474ffd1d32c5dcc7cd40785b2
            • Instruction Fuzzy Hash: 7D90022130280403E140B15894186064059D7E2301F55D051F0418554CDA15895A6222
            Function 03023D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 053b2b0f560cba14fdb7c42e630bd279f825a96ac8212452056809fcff839f69
            • Instruction ID: c5356c01c2fc16d387c2fbc47f23bc9ff7691e8b205e49f39cdd912cf86b40d4
            • Opcode Fuzzy Hash: 053b2b0f560cba14fdb7c42e630bd279f825a96ac8212452056809fcff839f69
            • Instruction Fuzzy Hash: A790023520280802E510B1589804646009A87D1301F55D451B0428558D875489A5B121
            Function 03022DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 786288784c2250f6faa5114fafea8154419852416546b2812e0e9623bc76661d
            • Instruction ID: 8f45ff19e64ad270038cf508fe92269f87caf10e52cadaff1666d6b3cc90147c
            • Opcode Fuzzy Hash: 786288784c2250f6faa5114fafea8154419852416546b2812e0e9623bc76661d
            • Instruction Fuzzy Hash: 2690023124280802E141B1588404606005D97D1241F95C052B0428554E87558B5ABA61
            Function 03022DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c3488541025b8a270e1cc73747147a381f2335096654753d7afd23a76502bc66
            • Instruction ID: b1bfd70e96ec835e2c326ac07ab6d2c27fa54825f967efd5fe59212b068d16f2
            • Opcode Fuzzy Hash: c3488541025b8a270e1cc73747147a381f2335096654753d7afd23a76502bc66
            • Instruction Fuzzy Hash: 8F900221243845526545F1588404507405A97E1241795C052B1418950C8626995AE621
            Function 03022C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d57cd99bf2e934c51e0996fef19b627602f4e26be5fa986c22ff92af269304db
            • Instruction ID: 3afe44a574429e4fe4be027aac3f7c5bc8f13d64cf507cc62dec844a48406e30
            • Opcode Fuzzy Hash: d57cd99bf2e934c51e0996fef19b627602f4e26be5fa986c22ff92af269304db
            • Instruction Fuzzy Hash: A590023120280C42E100B1588404B46005987E1301F55C056B0128654D8715C9557521
            Function 03022C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e4993c20255bffeb6cf1165a2b29f474ef42376eecc65a5d05f0a2ec738925e5
            • Instruction ID: 3e0d75a8e07d6976c6a4114d28d5806d850c88b1729b33df0e59c502fcb5414f
            • Opcode Fuzzy Hash: e4993c20255bffeb6cf1165a2b29f474ef42376eecc65a5d05f0a2ec738925e5
            • Instruction Fuzzy Hash: 1690023120288C02E110B158C40474A005987D1301F59C451B4428658D879589957121
            Function 03022CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fb98b2a0edd45bde48ba93c4f3e4543b3157adecd88c018a86ddde42d3869bbc
            • Instruction ID: f5aac4ed98ff0a6bac57123d256ed95e44852148e1b789afe26832a9b1c47057
            • Opcode Fuzzy Hash: fb98b2a0edd45bde48ba93c4f3e4543b3157adecd88c018a86ddde42d3869bbc
            • Instruction Fuzzy Hash: 2290023120280802E100B5989408646005987E1301F55D051B5028555EC76589957131
            Function 03022CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b609ac108c2777fd4086cde0d1cd9fd221e55188f615dcd074eb4fd8f8bb809
            • Instruction ID: dfca5dfd18b0cf780399f8cbf252191bb56e6c3c9c796226080e3aeecdea3178
            • Opcode Fuzzy Hash: 2b609ac108c2777fd4086cde0d1cd9fd221e55188f615dcd074eb4fd8f8bb809
            • Instruction Fuzzy Hash: 7E90022160680802E140B1589418706006987D1201F55D051B0028554DC7598B5976A1
            Function 03022CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4881d56696def99c0fc132e47b27173a9e7564eaffaef672d6a66782210bec2
            • Instruction ID: 9e27020c1b7bb433f47110d7e123c5a15e27f97d649198574f24b9b8e9c5064e
            • Opcode Fuzzy Hash: d4881d56696def99c0fc132e47b27173a9e7564eaffaef672d6a66782210bec2
            • Instruction Fuzzy Hash: E290023120280803E100B1589508707005987D1201F55D451B0428558DD75689557121
            Function 03022C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: 26130c610df9d0fb63ccfbddb48923e03ffc3c3b92f312f186d0dd11e28fcf8f
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 03022890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 8bbf19137e1a689b43564fd3942a31b41eb1f30e93392e2cd30247d86ab22d34
            • Instruction ID: a006180445f1160aaf5a4e758be28af108d2f1150fb4fab89022bf101dca2647
            • Opcode Fuzzy Hash: 8bbf19137e1a689b43564fd3942a31b41eb1f30e93392e2cd30247d86ab22d34
            • Instruction Fuzzy Hash: 505139B5B06126BFDB61DFD988809BFFBFCBB49200B548669E855D7640D234DE00CBA0
            Function 03017630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • ExecuteOptions, xrefs: 030546A0
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03054742
            • Execute=1, xrefs: 03054713
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03054725
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03054787
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 030546FC
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03054655
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: d21b7e2dff73da8af09bcac901d7f6e64f49a2cf248cad56a57854eaa066940e
            • Instruction ID: f292cbf5ce131dc3e78dd43e7b8ebb4769c15a75b9e25fa300ad4582c5d8620e
            • Opcode Fuzzy Hash: d21b7e2dff73da8af09bcac901d7f6e64f49a2cf248cad56a57854eaa066940e
            • Instruction Fuzzy Hash: CC513C35A0231A7AEF11EBA5EC85FEF77E8EF44700F1404D9E906AB181DB719A618F50
            Function 0302B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction ID: 71abbea1654adc4d954818849e1272d936493781e03822459052ff1e8e2a1a83
            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction Fuzzy Hash: AF81AA30E076699FDF28CE68C8947EEBFE6AF45320F1C465AD865A7391C6388841CB50
            Function 0300F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 030502E7
            • RTL: Re-Waiting, xrefs: 0305031E
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 030502BD
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 5b290e72f392d1556c8b770b9673151c107426d6428854c6e5eb5a06dadd5644
            • Instruction ID: a7fef09cf2429b43ebc34e0c3511233d790a8da7b063c55a40b117e677bdcf7f
            • Opcode Fuzzy Hash: 5b290e72f392d1556c8b770b9673151c107426d6428854c6e5eb5a06dadd5644
            • Instruction Fuzzy Hash: 99E1BE3060A7429FE765CF28C884B6EB7E4BF84314F180A6DF9A58B2E1D774D945CB42
            Function 0301BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Re-Waiting, xrefs: 03057BAC
            • RTL: Resource at %p, xrefs: 03057B8E
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03057B7F
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: d692f0faae1b9e4c7927a08a05d46e590b8be7bb8edffb1c384c97915157f8b4
            • Instruction ID: 8550d1b9a050fbdac6854fdac464c43c2043319d0885c0e0f206eb7cdd863eac
            • Opcode Fuzzy Hash: d692f0faae1b9e4c7927a08a05d46e590b8be7bb8edffb1c384c97915157f8b4
            • Instruction Fuzzy Hash: 8E41D1357027029FD724DE29C840BABB7E5EF88720F140A1DF95ADB680DB71E8158B91
            Function 0301B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0305728C
            Strings
            • RTL: Re-Waiting, xrefs: 030572C1
            • RTL: Resource at %p, xrefs: 030572A3
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03057294
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: 5250a84c0569908d5d0fbee2b4d295d9c81a357cb79d744c9496539c9dda3250
            • Instruction ID: b7a9e589890bfa02593aa0c590dbfe4dbfbb6f74bdf5f3e412579bacfb2326ab
            • Opcode Fuzzy Hash: 5250a84c0569908d5d0fbee2b4d295d9c81a357cb79d744c9496539c9dda3250
            • Instruction Fuzzy Hash: A041FF35702306ABD720DE25CC41BAAB7E9FF84B10F144A19FD55EB640DB21E8129BD0
            Function 03027D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction ID: 04738edee3afcb325532a709a69817319c653b3b4530badeb0f4e8273c29d78c
            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction Fuzzy Hash: 3891D574E0623A9BDFA4DE69C8817BEBFF5AF44B20F18451AE865E72C1D73089408721
            Function 02FE9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2261741489.0000000002FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_2fb0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: cc809f5acc7d5a7538b24569f0a0a5416a424d402693fe455c7a2f012d17cccd
            • Instruction ID: d07ac4ef11024c27df08ddcd2371114ae60df116c2b411c013a04d9ce56b7dbf
            • Opcode Fuzzy Hash: cc809f5acc7d5a7538b24569f0a0a5416a424d402693fe455c7a2f012d17cccd
            • Instruction Fuzzy Hash: A0813CB5D012699BDB31DB54CC44BEEB7B8AF48750F0445EAEA19B7280D7705E80CFA0