Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OVERDUE SOA.exe

Overview

General Information

Sample name:OVERDUE SOA.exe
Analysis ID:1520070
MD5:d84ae7497316eee6d5dbe3bfe559224f
SHA1:9e66f59a26d6021b74eae7ba2df15dbe2e3b0556
SHA256:840d374a5c77e070befdc5bee5c52ecf4559c7afe7428527c59d03d42b0c3990
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OVERDUE SOA.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\OVERDUE SOA.exe" MD5: D84AE7497316EEE6D5DBE3BFE559224F)
    • svchost.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\OVERDUE SOA.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c060:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1412f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e693:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16762:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\OVERDUE SOA.exe", CommandLine: "C:\Users\user\Desktop\OVERDUE SOA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OVERDUE SOA.exe", ParentImage: C:\Users\user\Desktop\OVERDUE SOA.exe, ParentProcessId: 7644, ParentProcessName: OVERDUE SOA.exe, ProcessCommandLine: "C:\Users\user\Desktop\OVERDUE SOA.exe", ProcessId: 7740, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\OVERDUE SOA.exe", CommandLine: "C:\Users\user\Desktop\OVERDUE SOA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OVERDUE SOA.exe", ParentImage: C:\Users\user\Desktop\OVERDUE SOA.exe, ParentProcessId: 7644, ParentProcessName: OVERDUE SOA.exe, ProcessCommandLine: "C:\Users\user\Desktop\OVERDUE SOA.exe", ProcessId: 7740, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: OVERDUE SOA.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: OVERDUE SOA.exeReversingLabs: Detection: 23%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: OVERDUE SOA.exeJoe Sandbox ML: detected
          Source: OVERDUE SOA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: OVERDUE SOA.exe, 00000000.00000003.1459884060.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1458368751.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1460159627.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670228528.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631428093.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1629351966.0000000002C00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: OVERDUE SOA.exe, 00000000.00000003.1459884060.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1458368751.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1460159627.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1670228528.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631428093.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1629351966.0000000002C00000.00000004.00000020.00020000.00000000.sdmp

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C753 NtClose,2_2_0042C753
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004020732_2_00402073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168D32_2_004168D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031C02_2_004031C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D0A2_2_00402D0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D102_2_00402D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042ED832_2_0042ED83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026202_2_00402620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 268 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 90 times
          Source: OVERDUE SOA.exe, 00000000.00000003.1458533509.00000000046BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OVERDUE SOA.exe
          Source: OVERDUE SOA.exe, 00000000.00000003.1454808706.0000000004513000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OVERDUE SOA.exe
          Source: OVERDUE SOA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/1@0/0
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeFile created: C:\Users\user\AppData\Local\Temp\disturbJump to behavior
          Source: OVERDUE SOA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: OVERDUE SOA.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeFile read: C:\Users\user\Desktop\OVERDUE SOA.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\OVERDUE SOA.exe "C:\Users\user\Desktop\OVERDUE SOA.exe"
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OVERDUE SOA.exe"
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OVERDUE SOA.exe"Jump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: OVERDUE SOA.exeStatic file information: File size 1363445 > 1048576
          Source: Binary string: wntdll.pdbUGP source: OVERDUE SOA.exe, 00000000.00000003.1459884060.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1458368751.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1460159627.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670228528.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631428093.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1629351966.0000000002C00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: OVERDUE SOA.exe, 00000000.00000003.1459884060.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1458368751.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, OVERDUE SOA.exe, 00000000.00000003.1460159627.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1670228528.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631428093.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1629351966.0000000002C00000.00000004.00000020.00020000.00000000.sdmp
          Source: OVERDUE SOA.exeStatic PE information: real checksum: 0xa961f should be: 0x151f5b
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D0A4 push 0000000Dh; iretd 2_2_0041D0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041491A push edx; ret 2_2_00414954
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AAEC push ecx; iretd 2_2_0040AAED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F340 push esi; ret 2_2_0041F343
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413BE3 push eax; retf 2_2_00413BE4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EBA0 push esp; iretd 2_2_0041EBDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EBA3 push esp; iretd 2_2_0041EBDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ABA5 push edx; retf 2_2_0040ABA9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403430 push eax; ret 2_2_00403432
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D43B push es; retf 2_2_0040D455
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CE0 push ds; iretd 2_2_00401DEB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015DF push 00000028h; ret 2_2_004015F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004085F8 push eax; ret 2_2_00408602
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416643 pushfd ; iretd 2_2_00416658
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeAPI/Special instruction interceptor: Address: 40DF22C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD1C0 rdtsc 2_2_030AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7744Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD1C0 rdtsc 2_2_030AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417883 LdrLoadDll,2_2_00417883
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B930B mov eax, dword ptr fs:[00000030h]2_2_030B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B930B mov eax, dword ptr fs:[00000030h]2_2_030B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B930B mov eax, dword ptr fs:[00000030h]2_2_030B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D mov eax, dword ptr fs:[00000030h]2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D mov eax, dword ptr fs:[00000030h]2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305F32A mov eax, dword ptr fs:[00000030h]2_2_0305F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03027330 mov eax, dword ptr fs:[00000030h]2_2_03027330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C mov eax, dword ptr fs:[00000030h]2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C mov eax, dword ptr fs:[00000030h]2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03105341 mov eax, dword ptr fs:[00000030h]2_2_03105341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029353 mov eax, dword ptr fs:[00000030h]2_2_03029353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029353 mov eax, dword ptr fs:[00000030h]2_2_03029353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF367 mov eax, dword ptr fs:[00000030h]2_2_030EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03037370 mov eax, dword ptr fs:[00000030h]2_2_03037370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03037370 mov eax, dword ptr fs:[00000030h]2_2_03037370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03037370 mov eax, dword ptr fs:[00000030h]2_2_03037370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310539D mov eax, dword ptr fs:[00000030h]2_2_0310539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A mov eax, dword ptr fs:[00000030h]2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A mov eax, dword ptr fs:[00000030h]2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030533A5 mov eax, dword ptr fs:[00000030h]2_2_030533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030633A0 mov eax, dword ptr fs:[00000030h]2_2_030633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030633A0 mov eax, dword ptr fs:[00000030h]2_2_030633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EB3D0 mov ecx, dword ptr fs:[00000030h]2_2_030EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF3E6 mov eax, dword ptr fs:[00000030h]2_2_030EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031053FC mov eax, dword ptr fs:[00000030h]2_2_031053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03067208 mov eax, dword ptr fs:[00000030h]2_2_03067208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03067208 mov eax, dword ptr fs:[00000030h]2_2_03067208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03105227 mov eax, dword ptr fs:[00000030h]2_2_03105227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029240 mov eax, dword ptr fs:[00000030h]2_2_03029240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029240 mov eax, dword ptr fs:[00000030h]2_2_03029240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306724D mov eax, dword ptr fs:[00000030h]2_2_0306724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EB256 mov eax, dword ptr fs:[00000030h]2_2_030EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EB256 mov eax, dword ptr fs:[00000030h]2_2_030EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FD26B mov eax, dword ptr fs:[00000030h]2_2_030FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FD26B mov eax, dword ptr fs:[00000030h]2_2_030FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03059274 mov eax, dword ptr fs:[00000030h]2_2_03059274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03071270 mov eax, dword ptr fs:[00000030h]2_2_03071270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03071270 mov eax, dword ptr fs:[00000030h]2_2_03071270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03105283 mov eax, dword ptr fs:[00000030h]2_2_03105283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306329E mov eax, dword ptr fs:[00000030h]2_2_0306329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306329E mov eax, dword ptr fs:[00000030h]2_2_0306329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A0 mov eax, dword ptr fs:[00000030h]2_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A0 mov eax, dword ptr fs:[00000030h]2_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A0 mov eax, dword ptr fs:[00000030h]2_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A0 mov eax, dword ptr fs:[00000030h]2_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F92A6 mov eax, dword ptr fs:[00000030h]2_2_030F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F92A6 mov eax, dword ptr fs:[00000030h]2_2_030F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F92A6 mov eax, dword ptr fs:[00000030h]2_2_030F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F92A6 mov eax, dword ptr fs:[00000030h]2_2_030F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C72A0 mov eax, dword ptr fs:[00000030h]2_2_030C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C72A0 mov eax, dword ptr fs:[00000030h]2_2_030C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B92BC mov eax, dword ptr fs:[00000030h]2_2_030B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B92BC mov eax, dword ptr fs:[00000030h]2_2_030B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B92BC mov ecx, dword ptr fs:[00000030h]2_2_030B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B92BC mov ecx, dword ptr fs:[00000030h]2_2_030B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C0 mov eax, dword ptr fs:[00000030h]2_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030392C5 mov eax, dword ptr fs:[00000030h]2_2_030392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030392C5 mov eax, dword ptr fs:[00000030h]2_2_030392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B2D3 mov eax, dword ptr fs:[00000030h]2_2_0302B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B2D3 mov eax, dword ptr fs:[00000030h]2_2_0302B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B2D3 mov eax, dword ptr fs:[00000030h]2_2_0302B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305F2D0 mov eax, dword ptr fs:[00000030h]2_2_0305F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305F2D0 mov eax, dword ptr fs:[00000030h]2_2_0305F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED mov eax, dword ptr fs:[00000030h]2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031052E2 mov eax, dword ptr fs:[00000030h]2_2_031052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF2F8 mov eax, dword ptr fs:[00000030h]2_2_030EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030292FF mov eax, dword ptr fs:[00000030h]2_2_030292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03031131 mov eax, dword ptr fs:[00000030h]2_2_03031131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03031131 mov eax, dword ptr fs:[00000030h]2_2_03031131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B136 mov eax, dword ptr fs:[00000030h]2_2_0302B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B136 mov eax, dword ptr fs:[00000030h]2_2_0302B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B136 mov eax, dword ptr fs:[00000030h]2_2_0302B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B136 mov eax, dword ptr fs:[00000030h]2_2_0302B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03105152 mov eax, dword ptr fs:[00000030h]2_2_03105152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029148 mov eax, dword ptr fs:[00000030h]2_2_03029148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029148 mov eax, dword ptr fs:[00000030h]2_2_03029148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029148 mov eax, dword ptr fs:[00000030h]2_2_03029148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029148 mov eax, dword ptr fs:[00000030h]2_2_03029148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03037152 mov eax, dword ptr fs:[00000030h]2_2_03037152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F172 mov eax, dword ptr fs:[00000030h]2_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C9179 mov eax, dword ptr fs:[00000030h]2_2_030C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03087190 mov eax, dword ptr fs:[00000030h]2_2_03087190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E11A4 mov eax, dword ptr fs:[00000030h]2_2_030E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E11A4 mov eax, dword ptr fs:[00000030h]2_2_030E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E11A4 mov eax, dword ptr fs:[00000030h]2_2_030E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E11A4 mov eax, dword ptr fs:[00000030h]2_2_030E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B0 mov eax, dword ptr fs:[00000030h]2_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306D1D0 mov eax, dword ptr fs:[00000030h]2_2_0306D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0306D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031051CB mov eax, dword ptr fs:[00000030h]2_2_031051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030551EF mov eax, dword ptr fs:[00000030h]2_2_030551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030351ED mov eax, dword ptr fs:[00000030h]2_2_030351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D71F9 mov esi, dword ptr fs:[00000030h]2_2_030D71F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F903E mov eax, dword ptr fs:[00000030h]2_2_030F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F903E mov eax, dword ptr fs:[00000030h]2_2_030F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F903E mov eax, dword ptr fs:[00000030h]2_2_030F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F903E mov eax, dword ptr fs:[00000030h]2_2_030F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D705E mov ebx, dword ptr fs:[00000030h]2_2_030D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D705E mov eax, dword ptr fs:[00000030h]2_2_030D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B052 mov eax, dword ptr fs:[00000030h]2_2_0305B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B106E mov eax, dword ptr fs:[00000030h]2_2_030B106E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03105060 mov eax, dword ptr fs:[00000030h]2_2_03105060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov ecx, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041070 mov eax, dword ptr fs:[00000030h]2_2_03041070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD070 mov ecx, dword ptr fs:[00000030h]2_2_030AD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D08D mov eax, dword ptr fs:[00000030h]2_2_0302D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03035096 mov eax, dword ptr fs:[00000030h]2_2_03035096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D090 mov eax, dword ptr fs:[00000030h]2_2_0305D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D090 mov eax, dword ptr fs:[00000030h]2_2_0305D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306909C mov eax, dword ptr fs:[00000030h]2_2_0306909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov ecx, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov ecx, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov ecx, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov ecx, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C0 mov eax, dword ptr fs:[00000030h]2_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031050D9 mov eax, dword ptr fs:[00000030h]2_2_031050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD0C0 mov eax, dword ptr fs:[00000030h]2_2_030AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD0C0 mov eax, dword ptr fs:[00000030h]2_2_030AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030590DB mov eax, dword ptr fs:[00000030h]2_2_030590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030550E4 mov eax, dword ptr fs:[00000030h]2_2_030550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030550E4 mov ecx, dword ptr fs:[00000030h]2_2_030550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03037703 mov eax, dword ptr fs:[00000030h]2_2_03037703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03035702 mov eax, dword ptr fs:[00000030h]2_2_03035702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03035702 mov eax, dword ptr fs:[00000030h]2_2_03035702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F71F mov eax, dword ptr fs:[00000030h]2_2_0306F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F71F mov eax, dword ptr fs:[00000030h]2_2_0306F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF72E mov eax, dword ptr fs:[00000030h]2_2_030EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03033720 mov eax, dword ptr fs:[00000030h]2_2_03033720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304F720 mov eax, dword ptr fs:[00000030h]2_2_0304F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304F720 mov eax, dword ptr fs:[00000030h]2_2_0304F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304F720 mov eax, dword ptr fs:[00000030h]2_2_0304F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F972B mov eax, dword ptr fs:[00000030h]2_2_030F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B73C mov eax, dword ptr fs:[00000030h]2_2_0310B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B73C mov eax, dword ptr fs:[00000030h]2_2_0310B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B73C mov eax, dword ptr fs:[00000030h]2_2_0310B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B73C mov eax, dword ptr fs:[00000030h]2_2_0310B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029730 mov eax, dword ptr fs:[00000030h]2_2_03029730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03029730 mov eax, dword ptr fs:[00000030h]2_2_03029730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03065734 mov eax, dword ptr fs:[00000030h]2_2_03065734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303973A mov eax, dword ptr fs:[00000030h]2_2_0303973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303973A mov eax, dword ptr fs:[00000030h]2_2_0303973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043740 mov eax, dword ptr fs:[00000030h]2_2_03043740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043740 mov eax, dword ptr fs:[00000030h]2_2_03043740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043740 mov eax, dword ptr fs:[00000030h]2_2_03043740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03103749 mov eax, dword ptr fs:[00000030h]2_2_03103749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B765 mov eax, dword ptr fs:[00000030h]2_2_0302B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B765 mov eax, dword ptr fs:[00000030h]2_2_0302B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B765 mov eax, dword ptr fs:[00000030h]2_2_0302B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302B765 mov eax, dword ptr fs:[00000030h]2_2_0302B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF78A mov eax, dword ptr fs:[00000030h]2_2_030EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B97A9 mov eax, dword ptr fs:[00000030h]2_2_030B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BF7AF mov eax, dword ptr fs:[00000030h]2_2_030BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BF7AF mov eax, dword ptr fs:[00000030h]2_2_030BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BF7AF mov eax, dword ptr fs:[00000030h]2_2_030BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BF7AF mov eax, dword ptr fs:[00000030h]2_2_030BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BF7AF mov eax, dword ptr fs:[00000030h]2_2_030BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031037B6 mov eax, dword ptr fs:[00000030h]2_2_031037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305D7B0 mov eax, dword ptr fs:[00000030h]2_2_0305D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F7BA mov eax, dword ptr fs:[00000030h]2_2_0302F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030357C0 mov eax, dword ptr fs:[00000030h]2_2_030357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030357C0 mov eax, dword ptr fs:[00000030h]2_2_030357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030357C0 mov eax, dword ptr fs:[00000030h]2_2_030357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303D7E0 mov ecx, dword ptr fs:[00000030h]2_2_0303D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03061607 mov eax, dword ptr fs:[00000030h]2_2_03061607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306F603 mov eax, dword ptr fs:[00000030h]2_2_0306F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03033616 mov eax, dword ptr fs:[00000030h]2_2_03033616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03033616 mov eax, dword ptr fs:[00000030h]2_2_03033616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F626 mov eax, dword ptr fs:[00000030h]2_2_0302F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03105636 mov eax, dword ptr fs:[00000030h]2_2_03105636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03069660 mov eax, dword ptr fs:[00000030h]2_2_03069660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03069660 mov eax, dword ptr fs:[00000030h]2_2_03069660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B368C mov eax, dword ptr fs:[00000030h]2_2_030B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B368C mov eax, dword ptr fs:[00000030h]2_2_030B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B368C mov eax, dword ptr fs:[00000030h]2_2_030B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B368C mov eax, dword ptr fs:[00000030h]2_2_030B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D6AA mov eax, dword ptr fs:[00000030h]2_2_0302D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D6AA mov eax, dword ptr fs:[00000030h]2_2_0302D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030276B2 mov eax, dword ptr fs:[00000030h]2_2_030276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030276B2 mov eax, dword ptr fs:[00000030h]2_2_030276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030276B2 mov eax, dword ptr fs:[00000030h]2_2_030276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303B6C0 mov eax, dword ptr fs:[00000030h]2_2_0303B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303B6C0 mov eax, dword ptr fs:[00000030h]2_2_0303B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303B6C0 mov eax, dword ptr fs:[00000030h]2_2_0303B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303B6C0 mov eax, dword ptr fs:[00000030h]2_2_0303B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303B6C0 mov eax, dword ptr fs:[00000030h]2_2_0303B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303B6C0 mov eax, dword ptr fs:[00000030h]2_2_0303B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC mov eax, dword ptr fs:[00000030h]2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC mov eax, dword ptr fs:[00000030h]2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC mov eax, dword ptr fs:[00000030h]2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC mov eax, dword ptr fs:[00000030h]2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF6C7 mov eax, dword ptr fs:[00000030h]2_2_030EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030616CF mov eax, dword ptr fs:[00000030h]2_2_030616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C36EE mov eax, dword ptr fs:[00000030h]2_2_030C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C36EE mov eax, dword ptr fs:[00000030h]2_2_030C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C36EE mov eax, dword ptr fs:[00000030h]2_2_030C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C36EE mov eax, dword ptr fs:[00000030h]2_2_030C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C36EE mov eax, dword ptr fs:[00000030h]2_2_030C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C36EE mov eax, dword ptr fs:[00000030h]2_2_030C36EE

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34D008Jump to behavior
          Source: C:\Users\user\Desktop\OVERDUE SOA.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OVERDUE SOA.exe"Jump to behavior
          Source: OVERDUE SOA.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets11
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          OVERDUE SOA.exe24%ReversingLabs
          OVERDUE SOA.exe100%AviraHEUR/AGEN.1321671
          OVERDUE SOA.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1520070
          Start date and time:2024-09-27 04:30:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 38s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:OVERDUE SOA.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 92%
          • Number of executed functions: 10
          • Number of non-executed functions: 317
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • VT rate limit hit for: OVERDUE SOA.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          22:31:25API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\disturb

          Download File
          Process:C:\Users\user\Desktop\OVERDUE SOA.exe
          File Type:data
          Category:dropped
          Size (bytes):288768
          Entropy (8bit):7.993699110260051
          Encrypted:true
          SSDEEP:3072:k7RDaOpSLvMA8bomSTlc7P+KcISlgiq3eeunawor9Y5rrsnRYW/1Usw0n1ADG22H:k7l10vMmmSTCz2giaUXq9S72si1AS2Pm
          MD5:E294067A32D250E04DB0C1C46A08560F
          SHA1:69D7F63B1842295B64D5703C0D9C24C5680B3D1E
          SHA-256:456F3B96E041BCBE1270FB6CA76BA585F4079497AE118B0F2F2E27B42E186CEE
          SHA-512:2121C92D69455AC4FE28D22A043E10CDF7ED0F1B7F9A3D2BDC3D23A8A5F4F0D3B3432E49BC92A9725A879F41A69851D15D705E55D25102F79CCD37BF54F83C48
          Malicious:false
          Reputation:low
          Preview:}..c.HHMW...>.....9B...K@...L6276UDD0K9A0WR1HHHMWL6276UDD0.9A0YM.FH.D.m.3{.t.,Y8.1B85C)%h.6"X]C.7!dB>WaY9ru..h 8(S.:;_`D0K9A0W+0A.u-0..RP.h$#.Q...m2V.R..pVU.,...+^.b>1Yu(/.WL6276UD.uK9.1VR....MWL6276U.D2J2@;WRgLHHMWL6276.WD0K)A0W"5HHH.WL&276WDD6K9A0WR1NHHMWL627FQDD2K9A0WR3H..MW\62'6UDD K9Q0WR1HHXMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL62.B0<00K9udSR1XHHM.H62'6UDD0K9A0WR1HHhMW,6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL6276UDD0K9A0WR1HHHMWL627

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.541953046976025
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:OVERDUE SOA.exe
          File size:1'363'445 bytes
          MD5:d84ae7497316eee6d5dbe3bfe559224f
          SHA1:9e66f59a26d6021b74eae7ba2df15dbe2e3b0556
          SHA256:840d374a5c77e070befdc5bee5c52ecf4559c7afe7428527c59d03d42b0c3990
          SHA512:d23ee5b80b991929d7e96f235dd06eebe1178f295f06841fec632830596484465b2bc8a2702135bcdd12edbace259c52f6fb4dd9b65052dc69295c2af8c31c0d
          SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCWuNYDZ4et3ymsF2VmOsQotWnCXxNN7MI/:7JZoQrbTFZY1iaCWuNYDZ4Ei7cbotgWN
          TLSH:4955F122B5D69036C2B323B19E7EF7AA963D79360336D19727C42D315EA01816B39733
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

          File Icon

          Icon Hash:1733312925935517

          Static PE Info

          General

          Entrypoint:0x4165c1
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

          Entrypoint Preview

          Instruction
          call 00007F45E98371CBh
          jmp 00007F45E982E03Eh
          int3
          int3
          int3
          int3
          int3
          push ebp
          mov ebp, esp
          push edi
          push esi
          mov esi, dword ptr [ebp+0Ch]
          mov ecx, dword ptr [ebp+10h]
          mov edi, dword ptr [ebp+08h]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007F45E982E1BAh
          cmp edi, eax
          jc 00007F45E982E356h
          cmp ecx, 00000080h
          jc 00007F45E982E1CEh
          cmp dword ptr [004A9724h], 00000000h
          je 00007F45E982E1C5h
          push edi
          push esi
          and edi, 0Fh
          and esi, 0Fh
          cmp edi, esi
          pop esi
          pop edi
          jne 00007F45E982E1B7h
          jmp 00007F45E982E592h
          test edi, 00000003h
          jne 00007F45E982E1C6h
          shr ecx, 02h
          and edx, 03h
          cmp ecx, 08h
          jc 00007F45E982E1DBh
          rep movsd
          jmp dword ptr [00416740h+edx*4]
          mov eax, edi
          mov edx, 00000003h
          sub ecx, 04h
          jc 00007F45E982E1BEh
          and eax, 03h
          add ecx, eax
          jmp dword ptr [00416654h+eax*4]
          jmp dword ptr [00416750h+ecx*4]
          nop
          jmp dword ptr [004166D4h+ecx*4]
          nop
          inc cx
          add byte ptr [eax-4BFFBE9Ah], dl
          inc cx
          add byte ptr [ebx], ah
          ror dword ptr [edx-75F877FAh], 1
          inc esi
          add dword ptr [eax+468A0147h], ecx
          add al, cl
          jmp 00007F45EBCA69B7h
          add esi, 03h
          add edi, 03h
          cmp ecx, 08h
          jc 00007F45E982E17Eh
          rep movsd
          jmp dword ptr [00000000h+edx*4]

          Rich Headers

          Programming Language:
          • [ C ] VS2010 SP1 build 40219
          • [C++] VS2010 SP1 build 40219
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2010 SP1 build 40219
          • [RES] VS2010 SP1 build 40219
          • [LNK] VS2010 SP1 build 40219

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
          RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
          RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
          RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
          RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
          RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
          RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
          RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
          RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
          RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
          RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
          RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
          RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
          RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
          RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
          RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
          RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
          RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
          RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
          RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

          Imports

          DLLImport
          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
          USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
          GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
          OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:22:31:02
          Start date:26/09/2024
          Path:C:\Users\user\Desktop\OVERDUE SOA.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\OVERDUE SOA.exe"
          Imagebase:0x400000
          File size:1'363'445 bytes
          MD5 hash:D84AE7497316EEE6D5DBE3BFE559224F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:22:31:06
          Start date:26/09/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\OVERDUE SOA.exe"
          Imagebase:0x7d0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1670193955.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.9%
            Dynamic/Decrypted Code Coverage:6.5%
            Signature Coverage:6.5%
            Total number of Nodes:92
            Total number of Limit Nodes:8
            execution_graph 77746 42fa43 77749 42e823 77746->77749 77752 42cad3 77749->77752 77751 42e83c 77753 42caf0 77752->77753 77754 42cb01 RtlFreeHeap 77753->77754 77754->77751 77755 424ae3 77756 424aff 77755->77756 77757 424b27 77756->77757 77758 424b3b 77756->77758 77760 42c753 NtClose 77757->77760 77765 42c753 77758->77765 77762 424b30 77760->77762 77761 424b44 77768 42e943 RtlAllocateHeap 77761->77768 77764 424b4f 77766 42c770 77765->77766 77767 42c781 NtClose 77766->77767 77767->77761 77768->77764 77769 42e903 77772 42ca83 77769->77772 77771 42e91e 77773 42ca9d 77772->77773 77774 42caae RtlAllocateHeap 77773->77774 77774->77771 77845 424e73 77850 424e8c 77845->77850 77846 424f1c 77847 424ed7 77848 42e823 RtlFreeHeap 77847->77848 77849 424ee7 77848->77849 77850->77846 77850->77847 77851 424f17 77850->77851 77852 42e823 RtlFreeHeap 77851->77852 77852->77846 77853 42bd13 77854 42bd30 77853->77854 77857 3072df0 LdrInitializeThunk 77854->77857 77855 42bd58 77857->77855 77775 413d43 77779 413d63 77775->77779 77777 413dcc 77778 413dc2 77779->77777 77780 41b513 RtlFreeHeap LdrInitializeThunk 77779->77780 77780->77778 77781 3072b60 LdrInitializeThunk 77782 401aaf 77783 401abc 77782->77783 77786 42feb3 77783->77786 77789 42e3d3 77786->77789 77790 42e3f9 77789->77790 77799 407563 77790->77799 77792 42e40f 77798 401c24 77792->77798 77802 41b203 77792->77802 77794 42e42e 77795 42e443 77794->77795 77796 42cb23 ExitProcess 77794->77796 77813 42cb23 77795->77813 77796->77795 77816 416543 77799->77816 77801 407570 77801->77792 77803 41b22f 77802->77803 77834 41b0f3 77803->77834 77806 41b274 77808 41b290 77806->77808 77811 42c753 NtClose 77806->77811 77807 41b25c 77809 41b267 77807->77809 77810 42c753 NtClose 77807->77810 77808->77794 77809->77794 77810->77809 77812 41b286 77811->77812 77812->77794 77814 42cb40 77813->77814 77815 42cb51 ExitProcess 77814->77815 77815->77798 77817 416560 77816->77817 77819 416579 77817->77819 77820 42d1a3 77817->77820 77819->77801 77822 42d1bd 77820->77822 77821 42d1ec 77821->77819 77822->77821 77827 42bd63 77822->77827 77825 42e823 RtlFreeHeap 77826 42d265 77825->77826 77826->77819 77828 42bd80 77827->77828 77831 3072c0a 77828->77831 77829 42bdac 77829->77825 77832 3072c11 77831->77832 77833 3072c1f LdrInitializeThunk 77831->77833 77832->77829 77833->77829 77835 41b10d 77834->77835 77839 41b1e9 77834->77839 77840 42be03 77835->77840 77838 42c753 NtClose 77838->77839 77839->77806 77839->77807 77841 42be1d 77840->77841 77844 30735c0 LdrInitializeThunk 77841->77844 77842 41b1dd 77842->77838 77844->77842 77858 4178fe 77859 417901 77858->77859 77860 4178be 77858->77860 77861 4178e3 LdrLoadDll 77860->77861 77862 4178fa 77860->77862 77861->77862

            Executed Functions

            Function 00417883 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 22 417883-41789f 23 4178a7-4178ac 22->23 24 4178a2 call 42f523 22->24 25 4178b2-4178c0 call 42fb23 23->25 26 4178ae-4178b1 23->26 24->23 30 4178d0-4178e1 call 42dea3 25->30 31 4178c2-4178cd call 42fdc3 25->31 36 4178e3-4178f7 LdrLoadDll 30->36 37 4178fa-4178fd 30->37 31->30 36->37
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: e5c4bbe89f40af0726b0f43d48a7e7614d557be38eb8230b4c9e55b121e15b07
            • Instruction ID: a0c37dff0129ecde4e604a7e5538e5a43d5b941f9cb87f3eacc9c9c84b095d1c
            • Opcode Fuzzy Hash: e5c4bbe89f40af0726b0f43d48a7e7614d557be38eb8230b4c9e55b121e15b07
            • Instruction Fuzzy Hash: 7E011EB5E0020DBBDF10EAE5DC46FDEB7789B54308F4081AAE90897241F635EB58CB95
            Function 0042C753 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 48 42c753-42c78f call 4048e3 call 42d993 NtClose
            APIs
            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C78A
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 35af77d883470ba60f9356892d958fd741f5bc8cd55b1907fa4f9f8c6b65b2ac
            • Instruction ID: d46e80b1df54a4b5232f7abf91cfbbe41bdfd1c9f65068c3eb417ed65bfef87e
            • Opcode Fuzzy Hash: 35af77d883470ba60f9356892d958fd741f5bc8cd55b1907fa4f9f8c6b65b2ac
            • Instruction Fuzzy Hash: 71E04F766406147BD620AA5ADC01F9B776CDFC5710F008429FA0867245CA717A1587A4
            Function 030735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 64 30735c0-30735cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 467e976f46e37073f495828fbb8c46a225d948725581b2d38fed6297dcbcc567
            • Instruction ID: 4fb367fa3e6d522a34980a98d149cddb88a1beb4535a50ecc5817c63b3a8f904
            • Opcode Fuzzy Hash: 467e976f46e37073f495828fbb8c46a225d948725581b2d38fed6297dcbcc567
            • Instruction Fuzzy Hash: BF90023160650802E100B2588554746104687D0301FA5C411A082456CD87958A5165A2
            Function 03072B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 62 3072b60-3072b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: c2864eb0aa40ae442fafd955dad36e1b12e8194d0df41917ff58320859b5bae4
            • Instruction ID: a2e36d66a1929a559374efda2c289cd63c9344a5a9e14ef8da73e41d35bde325
            • Opcode Fuzzy Hash: c2864eb0aa40ae442fafd955dad36e1b12e8194d0df41917ff58320859b5bae4
            • Instruction Fuzzy Hash: CC900261203404035105B2588454656404B87E0301B95C021E1414594DC62589916125
            Function 03072DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 63 3072df0-3072dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 46e9ba65936f9c5d9cd069e5dceb3c0b7e65d0dc8f9c9eb1b28fd4e7869207c5
            • Instruction ID: 8a2d8998b189b61c1a792f2cc443a34c8f4efd984ae315557f11c2b3409fa906
            • Opcode Fuzzy Hash: 46e9ba65936f9c5d9cd069e5dceb3c0b7e65d0dc8f9c9eb1b28fd4e7869207c5
            • Instruction Fuzzy Hash: 5990023120240813E111B2588544747004A87D0341FD5C412A082455CD97568A52A121
            Function 004178FE Relevance: 1.6, APIs: 1, Instructions: 58libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 9 4178fe-4178ff 10 417901-417939 9->10 11 4178be-4178c0 9->11 12 4178d0-4178e1 call 42dea3 11->12 13 4178c2-4178cd call 42fdc3 11->13 20 4178e3-4178f7 LdrLoadDll 12->20 21 4178fa-4178fd 12->21 13->12 20->21
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 4a53ede1bae45f6d398f4179464cd6ca97a25b6859c0e85a43f19cf707b38f3e
            • Instruction ID: a90f654782f61fbd6731bfaa855a72fbb800df32093ff9bff96c7bdb7bf5be36
            • Opcode Fuzzy Hash: 4a53ede1bae45f6d398f4179464cd6ca97a25b6859c0e85a43f19cf707b38f3e
            • Instruction Fuzzy Hash: F90149B1A0410A7BEB11EAA09C45FDFB7BCDB51208F40426BF8059B281E235DAC9C795
            Function 0042CAD3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 43 42cad3-42cb17 call 4048e3 call 42d993 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,758B0C7D,00000007,00000000,00000004,00000000,0041710C,000000F4), ref: 0042CB12
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 63c99f41b55af0cd1ca8660b25d072d20ec73afde797f6f0de5d689eeeccac8e
            • Instruction ID: c0661d8aed1aa1d3c53c115302787f5fb8ab18bfce10d22f5e32284c0c1dae7b
            • Opcode Fuzzy Hash: 63c99f41b55af0cd1ca8660b25d072d20ec73afde797f6f0de5d689eeeccac8e
            • Instruction Fuzzy Hash: 1AE06DB62042057BD710EE59EC41EAB77ADEFC9710F00442DF908A7241CA71BA1087B8
            Function 0042CA83 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 38 42ca83-42cac4 call 4048e3 call 42d993 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0041E69E,?,?,00000000,?,0041E69E,?,?,?), ref: 0042CABF
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 2f79453456b372df221fd68e69f98eb51f856ab049541b41314eb8c6b47891b1
            • Instruction ID: b3df10513e966b1ded1cce422b4e8743eeca37dbb7146ca7b83c8e2e31e65d0c
            • Opcode Fuzzy Hash: 2f79453456b372df221fd68e69f98eb51f856ab049541b41314eb8c6b47891b1
            • Instruction Fuzzy Hash: 22E06DB62002147BDB10EE5AEC41FDB77ADEFC9710F004429FA08A7241C671B91087B8
            Function 0042CB23 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 53 42cb23-42cb5f call 4048e3 call 42d993 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 63b94393ee37b62b4f51706b440d581d5114a9a80b6208d11f54f6c77f1153ca
            • Instruction ID: 522595a57dd4c80dd30431028f84abfbbfa4f2b893a379ce3d26f53a246e2515
            • Opcode Fuzzy Hash: 63b94393ee37b62b4f51706b440d581d5114a9a80b6208d11f54f6c77f1153ca
            • Instruction Fuzzy Hash: 82E046BA2002147BD220BA9ADC02F9B776DDBC5754F00442AFA08A7242C770BA0186F5
            Function 03072C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 58 3072c0a-3072c0f 59 3072c11-3072c18 58->59 60 3072c1f-3072c26 LdrInitializeThunk 58->60
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: e3b92376376056dd122cbe8410babdc9309be898e7d0726aea8d35adae4963fb
            • Instruction ID: 978ff8379b2714e3c8432404cb067043a0d8e278491b8802dcd243ad10882349
            • Opcode Fuzzy Hash: e3b92376376056dd122cbe8410babdc9309be898e7d0726aea8d35adae4963fb
            • Instruction Fuzzy Hash: 3BB09B71D035C9C5EA51F7604608717794967D0701F59C461D3430645F4739C1D1E175

            Non-executed Functions

            Function 030B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: cd6b9eb5fd196b5e77b98da1cf61243c988cff8c3996d502c08cf245b1ba75f8
            • Instruction ID: 7e1d42b5e95240b4ace52c6fae4b4ef91a56037da577e7bd1ad378f691ac07df
            • Opcode Fuzzy Hash: cd6b9eb5fd196b5e77b98da1cf61243c988cff8c3996d502c08cf245b1ba75f8
            • Instruction Fuzzy Hash: 9292587560A341ABD725DE24C880BABB7FCBB88750F184D2DFA94DB250D770E844CB96
            Function 030268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: 34c5a25b0bbf6b468097c9c37da5149b99e15559becc3df426445d9f74965ebb
            • Instruction ID: d2857abe527f878acbbc7b7c683fbf7aaa860539f6aec1f8d2c2444dac64bfc9
            • Opcode Fuzzy Hash: 34c5a25b0bbf6b468097c9c37da5149b99e15559becc3df426445d9f74965ebb
            • Instruction Fuzzy Hash: CC8101B6D032187F9B16FB98DDC4EEEB7BEAB58610B044421B910FB114E721ED548BB0
            Function 03068620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
            Download Yara Rule
            Strings
            • double initialized or corrupted critical section, xrefs: 030A5508
            • Critical section address., xrefs: 030A5502
            • Thread identifier, xrefs: 030A553A
            • undeleted critical section in freed memory, xrefs: 030A542B
            • Address of the debug info found in the active list., xrefs: 030A54AE, 030A54FA
            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 030A540A, 030A5496, 030A5519
            • 8, xrefs: 030A52E3
            • Thread is in a state in which it cannot own a critical section, xrefs: 030A5543
            • IQwIQw@4Qw@4Qw, xrefs: 030A5341, 030A534D
            • Invalid debug info address of this critical section, xrefs: 030A54B6
            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 030A54CE
            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 030A54E2
            • Critical section address, xrefs: 030A5425, 030A54BC, 030A5534
            • corrupted critical section, xrefs: 030A54C2
            • Critical section debug info address, xrefs: 030A541F, 030A552E
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$IQwIQw@4Qw@4Qw
            • API String ID: 0-1658047389
            • Opcode ID: 2fe396a9bda189fd5cee1ade8ca23bbe4ac13c327e0c3928ef2f177c06abb9b4
            • Instruction ID: 05a912d8470b3a1d0d4ebad9db8dd29e82ab4c33e1cc9876ddf294650a63ccbc
            • Opcode Fuzzy Hash: 2fe396a9bda189fd5cee1ade8ca23bbe4ac13c327e0c3928ef2f177c06abb9b4
            • Instruction Fuzzy Hash: 87819CB1A02758AFDB20CF98DC40BAEBBF9FB49704F148159F558BB641D3B1A940CB64
            Function 03060F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: 865ae5aa7a9d7064c5307bc09d5ab823507ca28146658e773f5f9eebfb7fdf09
            • Instruction ID: 07c188140329b1d834052b7aabf5d9ac8a2b799eab74b8400ea794f80bc635d3
            • Opcode Fuzzy Hash: 865ae5aa7a9d7064c5307bc09d5ab823507ca28146658e773f5f9eebfb7fdf09
            • Instruction Fuzzy Hash: 5462C0B5E026298FDB68CF58D8407ADB7F6BF85310F1882DAD449AB240D7725AE1CF40
            Function 030E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: 5378d35edcc610b719b2d0ead884de4fd886fb07ebe7b5ff8d5fb4bce4023cac
            • Instruction ID: 8ecbc226705e39d5a9a3d32a58087f5e247ca1b15f774d5cd9841f258c36e171
            • Opcode Fuzzy Hash: 5378d35edcc610b719b2d0ead884de4fd886fb07ebe7b5ff8d5fb4bce4023cac
            • Instruction Fuzzy Hash: A512BC75706642DFD729CF28C441BBAFBF5EF49704F188899E4968BA81D738E880CB50
            Function 0304AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: 10a0b51bfe1bc27d2508ff06441ab61b6e637660fb694791e0e686ce045bcb72
            • Instruction ID: 9de5049347c7334c8c93c82ec89aeb01680b31bda20392c43fd2d424abacbda1
            • Opcode Fuzzy Hash: 10a0b51bfe1bc27d2508ff06441ab61b6e637660fb694791e0e686ce045bcb72
            • Instruction Fuzzy Hash: 4012FFB1A0A3419FD764DF28C440BAEB3E4FFC5704F08496AF9858B291E734DA44CB92
            Function 0302D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: d9cdaef6c8b41055ee5582c37bb1e741f218b928fccf42199f0a308bd3f5cdf3
            • Instruction ID: be7b45f7d030e641e8e246dcf08494377f416c01585208560dec6cced681689e
            • Opcode Fuzzy Hash: d9cdaef6c8b41055ee5582c37bb1e741f218b928fccf42199f0a308bd3f5cdf3
            • Instruction Fuzzy Hash: 02B1AD7190A3619FC761EF24C480AAFBBE8AF88754F054D2EF899DB240D770DD448B92
            Function 030E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: ebc7e0432f95f0a44720f6c17b46a81c16b8842db9155c83d85f4cc66a70892f
            • Instruction ID: c13b29938e4f45e27828205e5afa29e8410bf6de1dd4daf85b36a18e26911157
            • Opcode Fuzzy Hash: ebc7e0432f95f0a44720f6c17b46a81c16b8842db9155c83d85f4cc66a70892f
            • Instruction Fuzzy Hash: 9FF11335B06256EFCB25CF6AC440BEAFBF5FF0A300F088459E4959B692C7B4A945CB50
            Function 030C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
            • API String ID: 0-3063724069
            • Opcode ID: 13f01cd4069fab49287ed2cd382df961e0044e8ce47aafd86940c262176e31b4
            • Instruction ID: de18be8177d52b8ed8fe643531c5fd871afc683f55c0e962587bee952fdc10e5
            • Opcode Fuzzy Hash: 13f01cd4069fab49287ed2cd382df961e0044e8ce47aafd86940c262176e31b4
            • Instruction Fuzzy Hash: 78D1E2B281A395AFD721DB64C840BAFB7ECAFC4B14F04496DFA849B190D770C9448B96
            Function 030E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: 5a13918bb50c1e8a7f1ee014ad4143285e5002209b6812b8cd388a847f1ecbcd
            • Instruction ID: 1d6f1c9ac44930d382db9cf99906d1c3ba7680d707ed3285bb73d10c2ff1022d
            • Opcode Fuzzy Hash: 5a13918bb50c1e8a7f1ee014ad4143285e5002209b6812b8cd388a847f1ecbcd
            • Instruction Fuzzy Hash: 96D1E075602785EFCB26DF6AC440AAEFBF1FF8A710F088049E4559F652CBB49981CB14
            Function 0302D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 0302D2AF
            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0302D196
            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0302D146
            • @, xrefs: 0302D313
            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0302D0CF
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0302D2C3
            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0302D262
            • @, xrefs: 0302D0FD
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
            • API String ID: 0-1356375266
            • Opcode ID: 6aff9b4abd1d1003bf1dc71a9cde4d1bfcb5bb1d37bf9b9b78ea00a75a20f250
            • Instruction ID: c354da6637cd1d6ea3ee940d7365e6af31db531559f7974c7ac1e1343b975327
            • Opcode Fuzzy Hash: 6aff9b4abd1d1003bf1dc71a9cde4d1bfcb5bb1d37bf9b9b78ea00a75a20f250
            • Instruction Fuzzy Hash: F9A19B7190A3559FD360DF24C884B9FBBE8BB84715F004D2EEA989A240D774D908CF92
            Function 03049EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
            Download Yara Rule
            Strings
            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 030976EE
            • @, xrefs: 03049EE7
            • Internal error check failed, xrefs: 03097718, 030978A9
            • minkernel\ntdll\sxsisol.cpp, xrefs: 03097713, 030978A4
            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03097709
            • Status != STATUS_NOT_FOUND, xrefs: 0309789A
            • sxsisol_SearchActCtxForDllName, xrefs: 030976DD
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
            • API String ID: 0-761764676
            • Opcode ID: c9470fa040eb049fb2370748e1db2e0e66d8a6707d3a4b49c4e6bd3508fd95fe
            • Instruction ID: 981be90a95646b624a9960969d7e2134808e3b26f75c8198aa4a549f56b0dacd
            • Opcode Fuzzy Hash: c9470fa040eb049fb2370748e1db2e0e66d8a6707d3a4b49c4e6bd3508fd95fe
            • Instruction Fuzzy Hash: 05129D75A01215DFDF24CFA8C881AEEB7F4FF48710F1984AAE849EB241E7359941CB64
            Function 0303EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: 3b0d1fd1f07704ca0680317037a7a52f775ad8f7bc0ac9c9ce187ffbc492510e
            • Instruction ID: 41655ef2425c71216ceda401aff4aa6502c6b9781f1216471d7a82f17601b9f9
            • Opcode Fuzzy Hash: 3b0d1fd1f07704ca0680317037a7a52f775ad8f7bc0ac9c9ce187ffbc492510e
            • Instruction Fuzzy Hash: 03A21975E0662A8FDF64DF19CC987ADB7B9AF46304F1442EAD809A7250DB349E85CF00
            Function 0302F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: 3850b26c3bda85a4648b8167c1fa9199b407555f131287f5ecc6364875fd5568
            • Instruction ID: c38b78fa76bce9c20af8e93c7c9f72d0baf4c738a51a09236476f16e13542cb4
            • Opcode Fuzzy Hash: 3850b26c3bda85a4648b8167c1fa9199b407555f131287f5ecc6364875fd5568
            • Instruction Fuzzy Hash: 2342107520A3929FC714EF28C884B6AFBF5FF89244F0849ADE8858B381D734D945CB51
            Function 0303ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
            • API String ID: 0-4098886588
            • Opcode ID: c29788fd34ad46c6239f812ba7ad5808e2df54d8f5233ea9fe22bce6ac3634d4
            • Instruction ID: 2c30334a6cd56d6b19be4901ba441756fcab1499555e76444ea8058b2b870e92
            • Opcode Fuzzy Hash: c29788fd34ad46c6239f812ba7ad5808e2df54d8f5233ea9fe22bce6ac3634d4
            • Instruction Fuzzy Hash: FB32D175E062698BEF61CF18CC94BEEB7BDAF46344F1841EAE449A7250D7719E808F40
            Function 0304B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: 7d3117e8511920053ecdc57820405071bbf49d7f7e17f66daa0aae2d26bbd45b
            • Instruction ID: d4e3e3cf048880577f1abdae1676c937f554fce221f0f11f7e44f459688eb057
            • Opcode Fuzzy Hash: 7d3117e8511920053ecdc57820405071bbf49d7f7e17f66daa0aae2d26bbd45b
            • Instruction Fuzzy Hash: 98C14EB1A03315ABDF24DB69C8807BEB7E5AF85700F188479E8859F781E7B4DA44C391
            Function 030663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: 76407946a38a108f5ed9bae41d2270d2bbe2ea17ef18ceb7e08eb9fec7797796
            • Instruction ID: 0cc449c92972e385953434e43e3ee60f8936641a758e5d9818cfb549888848f2
            • Opcode Fuzzy Hash: 76407946a38a108f5ed9bae41d2270d2bbe2ea17ef18ceb7e08eb9fec7797796
            • Instruction Fuzzy Hash: F1915934A03B18ABDB38EF99E844BAEB7A5EF85B14F040528E4106F785D7B59851C7A0
            Function 03062674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 030A2180
            • RtlGetAssemblyStorageRoot, xrefs: 030A2160, 030A219A, 030A21BA
            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 030A219F
            • SXS: %s() passed the empty activation context, xrefs: 030A2165
            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 030A2178
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 030A21BF
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
            • API String ID: 0-861424205
            • Opcode ID: 87dad0e730b31197bff9bb59942becce483c3fd66a6ee4d40991e25597564772
            • Instruction ID: 700d3b0ed54de3d77a6aee8cfacbb53363c671a54a1c541db9b5a44fb90ef445
            • Opcode Fuzzy Hash: 87dad0e730b31197bff9bb59942becce483c3fd66a6ee4d40991e25597564772
            • Instruction Fuzzy Hash: 4F310936F83215BBE721CA9D9C41F9FB6BCDBA4E50F054869FA046B145D270DA00C7A1
            Function 0306C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 0306C6C3
            • Loading import redirection DLL: '%wZ', xrefs: 030A8170
            • LdrpInitializeImportRedirection, xrefs: 030A8177, 030A81EB
            • Unable to build import redirection Table, Status = 0x%x, xrefs: 030A81E5
            • LdrpInitializeProcess, xrefs: 0306C6C4
            • minkernel\ntdll\ldrredirect.c, xrefs: 030A8181, 030A81F5
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-475462383
            • Opcode ID: b63f68c606b8195e60f5a8953d3988cdb944f0d77b1f4c19134cd8006da2eed7
            • Instruction ID: a6558abb29b1cdd9abae7e30a532531a06809cde5b4b928ddc4c0c06a59165e8
            • Opcode Fuzzy Hash: b63f68c606b8195e60f5a8953d3988cdb944f0d77b1f4c19134cd8006da2eed7
            • Instruction Fuzzy Hash: 6231F375746705AFD224EF68DD46E6BB7E4EFC4B10F040958F885AF295E620EC04CBA2
            Function 030B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
            • API String ID: 0-3127649145
            • Opcode ID: 819d755d27159146512ecaf3645c1143384460363214a9557390a1337d5ff408
            • Instruction ID: aee7c5e36bd83a5b7399a5c8c9450fe8bd8997841b5e599d65eeb0c07547d5a4
            • Opcode Fuzzy Hash: 819d755d27159146512ecaf3645c1143384460363214a9557390a1337d5ff408
            • Instruction Fuzzy Hash: F7323B75A027199BDB61DF25CC88BDAB7F8FF88300F1045EAE509A7650DB71AA84CF50
            Function 03049950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: 5ae41e70bde88351cf78fb2bbb54081c4e13e2eff91bc01d6e5fa5d7afbbb6d1
            • Instruction ID: 4bcb6670c40c0dfe7f1bce0ecb400252e2bb96e80197783a4f9f79f2ad721649
            • Opcode Fuzzy Hash: 5ae41e70bde88351cf78fb2bbb54081c4e13e2eff91bc01d6e5fa5d7afbbb6d1
            • Instruction Fuzzy Hash: 88025AB150A3418FD760CF64C184BABF7E4BF89704F44897EE9998B250D770DA44CB92
            Function 030551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
            Download Yara Rule
            Strings
            • Kernel-MUI-Language-SKU, xrefs: 0305542B
            • Kernel-MUI-Number-Allowed, xrefs: 03055247
            • WindowsExcludedProcs, xrefs: 0305522A
            • Kernel-MUI-Language-Disallowed, xrefs: 03055352
            • Kernel-MUI-Language-Allowed, xrefs: 0305527B
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 3043916f603c695d850900ec80c18e82d8cdb97f4e1f3d9862c18b45fa20689c
            • Instruction ID: d3a670c5fff728fb91cc23997bdaa614f29bb1a971f3ae026e027ebba76aaaa1
            • Opcode Fuzzy Hash: 3043916f603c695d850900ec80c18e82d8cdb97f4e1f3d9862c18b45fa20689c
            • Instruction Fuzzy Hash: C7F14B76D02218EFDF15DF98C980AEFBBF9EF49650F15406AE906AB250D7709E01CB90
            Function 030B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: ee022b7dc2d1703a2a349af3ba5f631aa10e586a325484430b37c6fcf50184f4
            • Instruction ID: 78b1ec008ab54ec97fa34f6ed83595b298b8afa8dbd48a85112efcd75a2f0c1d
            • Opcode Fuzzy Hash: ee022b7dc2d1703a2a349af3ba5f631aa10e586a325484430b37c6fcf50184f4
            • Instruction Fuzzy Hash: 6591D072D1261A9BCB20CF69C881AFEB7F4EF89310F1945A9E810EB350D735DA01CB90
            Function 0305D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1975516107
            • Opcode ID: 10be077bb28bf864af4e373f39ff3d44822cbef693a04c77a6a24479305af37b
            • Instruction ID: 043190974577d1f05ba0be4749278d239ffa483fbf0f3a6e0fd6bcaf2d32a6e9
            • Opcode Fuzzy Hash: 10be077bb28bf864af4e373f39ff3d44822cbef693a04c77a6a24479305af37b
            • Instruction Fuzzy Hash: CD510375A02349DFDB24EFA4C4847EEBBF2FF48314F18455AE8016B291D770A991CB90
            Function 030276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
            • API String ID: 0-3061284088
            • Opcode ID: 80de5770758086b31e6b76ccae01c1c28ba2f0f830b7d28f11d8b66a5054c50f
            • Instruction ID: 178e2b33569a7599ccf2c62b92203e0183e62276ddb19d5d6d6fc08a6505e862
            • Opcode Fuzzy Hash: 80de5770758086b31e6b76ccae01c1c28ba2f0f830b7d28f11d8b66a5054c50f
            • Instruction Fuzzy Hash: 0501283611B260EEE22AF319940DF9AFBD4DB82E70F18405AE0544F592CEA89880CA20
            Function 030470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 2c6698e3b3039f830c9a4d5461e9ee171fdd6813e35280ac4db9a577e086bc52
            • Instruction ID: e0e0aed767fe6c51dbdd31eb3168c3cffd1def072507e0b6c83ea2093e76b1ba
            • Opcode Fuzzy Hash: 2c6698e3b3039f830c9a4d5461e9ee171fdd6813e35280ac4db9a577e086bc52
            • Instruction Fuzzy Hash: 9813BCB0A02615DFDB68CF68C4807ADFBF1BF49704F1885A9D859AB381D735AA41CF90
            Function 03041070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
            • API String ID: 0-3570731704
            • Opcode ID: d14d6012b9b2d8724026a89aef4c431724ae577aebf76ebf2f04ced9db8142dc
            • Instruction ID: b9892dea3a93d9e4361baa43708e2659e12f76cba9b57b75825e6e8f5424e4d7
            • Opcode Fuzzy Hash: d14d6012b9b2d8724026a89aef4c431724ae577aebf76ebf2f04ced9db8142dc
            • Instruction Fuzzy Hash: 00926BB5A02229CFEB65CF19CC40BA9B7B5BF45314F0981EAD949AB290D7349EC0CF51
            Function 0304A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03097D03
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03097D39
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03097D56
            • SsHd, xrefs: 0304A885
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: 19e451334ea185890289826646bffd7b1cabe86c60be5fc03107ab092ff4dce0
            • Instruction ID: 68138096667b3e84b5d33d61d122584fbc7bb0b796160104a4058b7d6e2391f2
            • Opcode Fuzzy Hash: 19e451334ea185890289826646bffd7b1cabe86c60be5fc03107ab092ff4dce0
            • Instruction Fuzzy Hash: C8D17FB6A422159FDF24CF98D8806ADF7F5FF48710F19406AE845AB341D371EA51CBA0
            Function 03043D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 5b1e11648d243ab8a065f1172377bf82975248a1216fdfbb92b1930fb81d20c8
            • Instruction ID: d56efa8fd293008f0d2a094ebfbf2299af4a45f78b46d35a199a680cc01b6915
            • Opcode Fuzzy Hash: 5b1e11648d243ab8a065f1172377bf82975248a1216fdfbb92b1930fb81d20c8
            • Instruction Fuzzy Hash: E3E2B0B4A012159FDB64CF6AC490BADFBF1FF49304F1881A9D849AB385D734AA45CF90
            Function 0303A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: 94693de77df291677fc9bd7b1b761589cc99a9e7a5081fe372ae4765c1d29396
            • Instruction ID: a2f22c6f3ff2ce5c4933d435fd639cc267a189b984c3696db35e107eb3e5983c
            • Opcode Fuzzy Hash: 94693de77df291677fc9bd7b1b761589cc99a9e7a5081fe372ae4765c1d29396
            • Instruction Fuzzy Hash: 12C1787460A386DFDB11CF18C044BAAB7E8BF86704F048D6AF8D58B650E735CA49CB52
            Function 03040C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 030954D1, 03095592
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 030954ED
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 030955AE
            • HEAP: , xrefs: 030954E0, 030955A1
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 34d72509920e828fb7861e436f2630ef902294bfc62da8167ca290b37d0a26f2
            • Instruction ID: 6e77dae0b0af3c811f4922b0b80cbfbaa275f8a7daa714a7a1d8ee69858aeec5
            • Opcode Fuzzy Hash: 34d72509920e828fb7861e436f2630ef902294bfc62da8167ca290b37d0a26f2
            • Instruction Fuzzy Hash: 1DA103B4606305DFDB24DF25C840BBAFBE5BF45300F18C579D5969B682D730AA44CB90
            Function 0306273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 030A21D9, 030A22B1
            • .Local, xrefs: 030628D8
            • SXS: %s() passed the empty activation context, xrefs: 030A21DE
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 030A22B6
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
            • API String ID: 0-1239276146
            • Opcode ID: 400c26ec1483dc1437b12f07c6fc425fee0954a10222e51591fada67e059b59f
            • Instruction ID: ab00a894ef777e4ed3b4c4a9c1525d0ff4614fe7f52d1f3e91fa28b4657720c8
            • Opcode Fuzzy Hash: 400c26ec1483dc1437b12f07c6fc425fee0954a10222e51591fada67e059b59f
            • Instruction Fuzzy Hash: EDA1A435902229DFDB64CF94DC84BA9B3B9BF98314F1949F9D848AB255D7309E80CF90
            Function 0302F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
            • API String ID: 0-2586055223
            • Opcode ID: 51473d4af4ab5a16001a8c66178c9287bc9b5fcb85c662cd83902b6be772d811
            • Instruction ID: cd169c4b661ddf551d2b8ad62587b4ed936b4eb82799c98fa2cd31418c870384
            • Opcode Fuzzy Hash: 51473d4af4ab5a16001a8c66178c9287bc9b5fcb85c662cd83902b6be772d811
            • Instruction Fuzzy Hash: D56126762077419FD721EB24D848F6BBBE8FF80754F0808A8F9958B691D734D941CB61
            Function 00402D0A Relevance: 5.2, Strings: 4, Instructions: 152COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: CV|$CV|$gfff$|
            • API String ID: 0-3193153294
            • Opcode ID: e7a5007481dda8e4a4196a522ca4ec33406c4e1c4f5740477c53a8be38a32eb0
            • Instruction ID: a1a1deca0d2dda3937c2e99b57891cdccbf0c28398d2d5ae64b2bf8f95f011fa
            • Opcode Fuzzy Hash: e7a5007481dda8e4a4196a522ca4ec33406c4e1c4f5740477c53a8be38a32eb0
            • Instruction Fuzzy Hash: BC516B31F0020A47DB188D9DDE843D9BAA2EBE8304F58817BDD489F3C6D5B8AE0587D4
            Function 00402D10 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: CV|$CV|$gfff$|
            • API String ID: 0-3193153294
            • Opcode ID: 1d8e4784891accfd47ed13edffe62c2f0d02ad1b8d387308c423930b404b555c
            • Instruction ID: 081c143cfaa1c4e39a8e35fea610cb1901c9dde64770691b2feaf352c2fc1d04
            • Opcode Fuzzy Hash: 1d8e4784891accfd47ed13edffe62c2f0d02ad1b8d387308c423930b404b555c
            • Instruction Fuzzy Hash: B5515D31F0020A47DB188D9DDE843D9BA56EBE8304F58817ADD449F3C6D5B8AE0587D4
            Function 030E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
            • API String ID: 0-336120773
            • Opcode ID: e7538718cc7c0a95a180c5b0432dd44e1cf8d26612ffd48d45e0bf918396db5c
            • Instruction ID: f182c76e1fd723074562ca80331057c3fa615ddfa4687c06317b6313be3e3210
            • Opcode Fuzzy Hash: e7538718cc7c0a95a180c5b0432dd44e1cf8d26612ffd48d45e0bf918396db5c
            • Instruction Fuzzy Hash: 7B31EB35313210EFD759EB98CC85FAAB7E8EF49620F180459E411CB291EA70EC50CBA5
            Function 03029148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
            • API String ID: 0-1391187441
            • Opcode ID: bd4311ea88bbdd4f476299d489b0fc39594128a30bcbb6ee06fae9030c50573d
            • Instruction ID: 5d9398399dc807550d88176a1e5ea75b7c86a0f9ae0dafe8f99a3dd2a340803f
            • Opcode Fuzzy Hash: bd4311ea88bbdd4f476299d489b0fc39594128a30bcbb6ee06fae9030c50573d
            • Instruction Fuzzy Hash: F631A336A02214EFDB11EB4ACC85FEEBBF8EF45620F144055E814AB291DB70ED40CB60
            Function 030429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 03043255
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0304327D
            • HEAP: , xrefs: 03043264
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: bbace2d7e2799f763e9d1259a6b70b8320673de338e03871a98d1f1176bc903c
            • Instruction ID: 9ade8c74490526c6ef082959ba289de0eb00d344367e729cba3a91c48250effe
            • Opcode Fuzzy Hash: bbace2d7e2799f763e9d1259a6b70b8320673de338e03871a98d1f1176bc903c
            • Instruction Fuzzy Hash: 1F92CEB4A06249DFDB65CF68C4407AEBBF5FF48300F1888A9E855AB391D735AA41CF50
            Function 03041F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: cb07d8caae837ed0d22653f17c4e4eb314248db6fbe12b095203b163447a5f08
            • Instruction ID: 2fafb21f5a73a92fb9dae01c68ada738e3fff0b248f7ce428ab3264011913ff2
            • Opcode Fuzzy Hash: cb07d8caae837ed0d22653f17c4e4eb314248db6fbe12b095203b163447a5f08
            • Instruction Fuzzy Hash: 782223706026059FEB25DF29C894B7AFBF9FF46704F18889AE4558F282D732D981CB50
            Function 03040770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: e364cd44a9a3cca0c904f8c89ba0a83939755a1f9b1df79511728c041ca3e3c5
            • Instruction ID: ef05a8aa5f5fb6a5d765c3b384102d51e27fdd00a72e21da8ee8b2a5f6b2261d
            • Opcode Fuzzy Hash: e364cd44a9a3cca0c904f8c89ba0a83939755a1f9b1df79511728c041ca3e3c5
            • Instruction Fuzzy Hash: 9CF1CE74A02605DFEB15CF69C980B6AF7F5FF46300F1845A9E516AB381D734EA81CB90
            Function 03031460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 03031712
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03031728
            • HEAP: , xrefs: 03031596
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 5131155a6135c34cdd24f37fda2845503ccacd8f171d3b03587a278af397737d
            • Instruction ID: 71b6bb790aaa30dcc7d52970d434b701228935d94464fe1b6e4033aac520d5a2
            • Opcode Fuzzy Hash: 5131155a6135c34cdd24f37fda2845503ccacd8f171d3b03587a278af397737d
            • Instruction Fuzzy Hash: C6E10470A066429FDB29EF68C451BBABBF9EF4A300F18895DE4D6CB245D734E940CB50
            Function 0303B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
            • API String ID: 0-1145731471
            • Opcode ID: 8366b02348dd6a29856b650d90c0602db5a3ec8021b021f037a63e81bbbc6d88
            • Instruction ID: 465d57bba662846ee1cb203a5b25128771fa4bcf7f453c11f62f34a18a094264
            • Opcode Fuzzy Hash: 8366b02348dd6a29856b650d90c0602db5a3ec8021b021f037a63e81bbbc6d88
            • Instruction Fuzzy Hash: 78B16D79A067059BDF25CF59C980BAEB7F9EF85714F1849AAE451EB380D730A840CF50
            Function 030B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
            • API String ID: 0-2391371766
            • Opcode ID: d2956a38193c1cd2926531c75e9be4b56c658974ac2756b919126438da855a10
            • Instruction ID: 8cef4213393852eae9d25d298a7328a7d5257a04b391688bc9a41197461d1e8b
            • Opcode Fuzzy Hash: d2956a38193c1cd2926531c75e9be4b56c658974ac2756b919126438da855a10
            • Instruction Fuzzy Hash: 2AB1C179606345EFD321DF54C880FABB7F8EB48710F250969FA409B280D771E854CB96
            Function 03056962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: 48fd9660909fcbafe0606ae504e2909855541e6877aa12d13cb89393a70ebedd
            • Instruction ID: db0067a8d81a0dff0e710dab4098109e1e964348cdff9e51a3d0d5ef40f3ccd4
            • Opcode Fuzzy Hash: 48fd9660909fcbafe0606ae504e2909855541e6877aa12d13cb89393a70ebedd
            • Instruction Fuzzy Hash: 97C27F71A0A3459FEB65CF24C880BABBBE5AFC8744F08896DF989C7240D735D805DB52
            Function 0302A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: 02a5fae36c0771ef38fd5c9c9de05dc94cd77815fa49e0b67b231cc83cc7291f
            • Instruction ID: bec9bb0cfd0ac1fe04addd07afa57f14c8aaa75e255bf0ac01f5ae889c261cc7
            • Opcode Fuzzy Hash: 02a5fae36c0771ef38fd5c9c9de05dc94cd77815fa49e0b67b231cc83cc7291f
            • Instruction Fuzzy Hash: 24A16F759026299BDB31EF24CC88BEAF7B8EF44700F1401E9E909A7250D7359E85CF64
            Function 030C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
            • API String ID: 0-318774311
            • Opcode ID: c58aa03a6f47bedac5ceb67c6de7a714305671f027c4fc24d5a2fffd26273c89
            • Instruction ID: 8e1b131b10ace60d4a8d2ccd58962e0d685b7f5549c8347d836cd234920c0b96
            • Opcode Fuzzy Hash: c58aa03a6f47bedac5ceb67c6de7a714305671f027c4fc24d5a2fffd26273c89
            • Instruction Fuzzy Hash: 11817D7962A381AFD361DB14C844B6FB7E8FF85750F048AADB9809B390D778D904CB52
            Function 0306909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %$&$@
            • API String ID: 0-1537733988
            • Opcode ID: 6276131d5a07e781d6ed01bea05f4ebec9f53f3c268eee2c66bc83a84c1e6359
            • Instruction ID: 4d808fe54aa5d3d70425abf4bdfd21c8b46c61fa333f6e82de8584aeec73bce7
            • Opcode Fuzzy Hash: 6276131d5a07e781d6ed01bea05f4ebec9f53f3c268eee2c66bc83a84c1e6359
            • Instruction Fuzzy Hash: EB71D17060A7029FC754DF24C980A6FFBE9BFC5718F14891DE4968BA48C731D805CB52
            Function 0310B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
            Download Yara Rule
            Strings
            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0310B82A
            • GlobalizationUserSettings, xrefs: 0310B834
            • TargetNtPath, xrefs: 0310B82F
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
            • API String ID: 0-505981995
            • Opcode ID: 51b98678d81d828f8cfc7390ec0c1270656d1c6ba3392c6f57219685ca39ee6b
            • Instruction ID: 8d2534f42267dc4ff75920471cb4fddea215a78fae243a8175daf28160760d33
            • Opcode Fuzzy Hash: 51b98678d81d828f8cfc7390ec0c1270656d1c6ba3392c6f57219685ca39ee6b
            • Instruction Fuzzy Hash: 31618076D45229AFDB31DF55CC88BDAB7B8AF48714F0141E5A908AB290C774DE80CF90
            Function 0302F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
            Download Yara Rule
            Strings
            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0308E6C6
            • HEAP[%wZ]: , xrefs: 0308E6A6
            • HEAP: , xrefs: 0308E6B3
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
            • API String ID: 0-1340214556
            • Opcode ID: ad78025c3d509e971d11b987610945a517328c92befa2a9917633ceb226f9f61
            • Instruction ID: 831b438e11e139893b02a6ef48b8e29e26f30d52751b9167f91c80a4caf2c5de
            • Opcode Fuzzy Hash: ad78025c3d509e971d11b987610945a517328c92befa2a9917633ceb226f9f61
            • Instruction Fuzzy Hash: D0510575606755EFE712EBA8C844BAAFBF8FF45340F0804A4E9818B692D774E950CB10
            Function 030DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • HEAP[%wZ]: , xrefs: 030DDC12
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 030DDC32
            • HEAP: , xrefs: 030DDC1F
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: 9b99985b5a885345d76920e159ab1f67f85e9b5bf26bea70ee03f43bfc269ad3
            • Instruction ID: d336e93cb1fbb7532b48e61f8e6989b342ee8ccb017cbdf5e861736498da7cb1
            • Opcode Fuzzy Hash: 9b99985b5a885345d76920e159ab1f67f85e9b5bf26bea70ee03f43bfc269ad3
            • Instruction Fuzzy Hash: CC514635102350CEE7B4DB2EC844776B7E6DF46368F088C8AE4D28F685D676E842DB20
            Function 0306C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            Strings
            • LdrpInitializePerUserWindowsDirectory, xrefs: 030A82DE
            • minkernel\ntdll\ldrinit.c, xrefs: 030A82E8
            • Failed to reallocate the system dirs string !, xrefs: 030A82D7
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1783798831
            • Opcode ID: 3a719491c2993c8fec86ab53af88c34d7dd4e4267b9943587b8fb5325507dd3b
            • Instruction ID: ca8948d27a81a57ade1fcc46248d9c1ec8893e99653b8597da5a269210cdda87
            • Opcode Fuzzy Hash: 3a719491c2993c8fec86ab53af88c34d7dd4e4267b9943587b8fb5325507dd3b
            • Instruction Fuzzy Hash: A141E7B5506304ABD724FB68D844B9B77E8EF88750F04492AF998DB294E770D860CBA1
            Function 030616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrtls.c, xrefs: 030A1B4A
            • LdrpAllocateTls, xrefs: 030A1B40
            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 030A1B39
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
            • API String ID: 0-4274184382
            • Opcode ID: 746c33e3a029e07748972c01630bcc6681444b7f0a3be50437c5eaffc3d9dfc9
            • Instruction ID: afe33bb6095dd969cab7c084685da46875040f6b30b68137df76f40fb8094ef1
            • Opcode Fuzzy Hash: 746c33e3a029e07748972c01630bcc6681444b7f0a3be50437c5eaffc3d9dfc9
            • Instruction Fuzzy Hash: 8B41ACB9A02608AFCB19DFA8DC41BEEFBF5FF98714F048519E405AB214D774A910CB90
            Function 030EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • PreferredUILanguages, xrefs: 030EC212
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 030EC1C5
            • @, xrefs: 030EC1F1
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: 85cb76c648f861ef158b72070b1c3081ae5d43d09843220cbbb4f2225a23de45
            • Instruction ID: f5967b0f60bc7de725feb1b170dfd806e2cd122275fc72e7772925c2f33705b3
            • Opcode Fuzzy Hash: 85cb76c648f861ef158b72070b1c3081ae5d43d09843220cbbb4f2225a23de45
            • Instruction Fuzzy Hash: B4418E76E02209EFEB11DAD8C885FEEF7FCAB44700F04406AE905BB290D7759E448B94
            Function 030C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: 334f3714dfe2e4c9e474d33fe5bb4cc3fe6281d6b10dd06a64e0f4a4b8baaae8
            • Instruction ID: 92b6cb95adaf3b486723f066c926beab352dcda3a44fda2d1c5417010e36fd92
            • Opcode Fuzzy Hash: 334f3714dfe2e4c9e474d33fe5bb4cc3fe6281d6b10dd06a64e0f4a4b8baaae8
            • Instruction Fuzzy Hash: 9041C2759127988BEB26DB9AC860BEDB7F8FF95340F1804ADD841AF791D6748901CB10
            Function 030B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            • LdrpCheckRedirection, xrefs: 030B488F
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 030B4888
            • minkernel\ntdll\ldrredirect.c, xrefs: 030B4899
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-3154609507
            • Opcode ID: 7181af56abaa0d5343fff7b413f45951a94c0332098b691f338f83326f2b2468
            • Instruction ID: 0847957bdedfaad28cc59097f25d5c438066ad0aff45fadefd42c8959b808662
            • Opcode Fuzzy Hash: 7181af56abaa0d5343fff7b413f45951a94c0332098b691f338f83326f2b2468
            • Instruction Fuzzy Hash: 4741D832A027519FCB61CE5AD440AABB7F8EF49A50F090569EC58DB353D730DA10CB91
            Function 030633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • Actx , xrefs: 030633AC
            • SXS: %s() passed the empty activation context data, xrefs: 030A29FE
            • RtlCreateActivationContext, xrefs: 030A29F9
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
            • API String ID: 0-859632880
            • Opcode ID: 513933521200bb33173a16f2dee889a57ad0786bee5283eddc34af6358699a33
            • Instruction ID: bd2c51098f81c2875909f209309ea3e7480b13d0630bbcdddaea61d61fd49d98
            • Opcode Fuzzy Hash: 513933521200bb33173a16f2dee889a57ad0786bee5283eddc34af6358699a33
            • Instruction Fuzzy Hash: 243105366027059FDB26DE58D880B9AB7E8AB84710F0948A9E9059F695C770E851C7D0
            Function 03061607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrtls.c, xrefs: 030A1A51
            • DLL "%wZ" has TLS information at %p, xrefs: 030A1A40
            • LdrpInitializeTls, xrefs: 030A1A47
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
            • API String ID: 0-931879808
            • Opcode ID: 7561dffbf46db5cefae2e087ea4183c21bcac627ec5dc2de3673f7fd4770aa08
            • Instruction ID: 6c60b400fc8507d5de7c7469c8b653de27e2cdcd883c226a323ce5d20f026c64
            • Opcode Fuzzy Hash: 7561dffbf46db5cefae2e087ea4183c21bcac627ec5dc2de3673f7fd4770aa08
            • Instruction Fuzzy Hash: 8F314635A02304BFDB2CDB48CD85FBAB6BDEB99714F040469F404BB184E770AD6087A0
            Function 03071270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
            Download Yara Rule
            Strings
            • BuildLabEx, xrefs: 0307130F
            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0307127B
            • @, xrefs: 030712A5
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 0-3051831665
            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction ID: d1a2a365bcf6d8a9e902d2366172bc9b22dd79bab80d3659be72b0c29f22217c
            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction Fuzzy Hash: ED319176E0261CAFDB15EF95CC44EEEBBBDEB84750F004425E914AB1A0D730DA05CB58
            Function 030B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • Process initialization failed with status 0x%08lx, xrefs: 030B20F3
            • minkernel\ntdll\ldrinit.c, xrefs: 030B2104
            • LdrpInitializationFailure, xrefs: 030B20FA
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: 7ab6c45cfac0dec26e43bbc2ca1fe94524e47394c2718b6a097fe77428679457
            • Instruction ID: 58db098fa1d91028d186abf5680badb0e0c4f6342feee99fd7dcdfbdd85a2ff3
            • Opcode Fuzzy Hash: 7ab6c45cfac0dec26e43bbc2ca1fe94524e47394c2718b6a097fe77428679457
            • Instruction Fuzzy Hash: 62F0C835642308BFD728E64CDC42FD977BCEB94B54F140855F6507F685D2F0A560CA51
            Function 030403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: 2ad413bc5720362b710a96df999ec5f784e0897365ed4b9bb0e1843d07158d71
            • Instruction ID: 36db638c617d30f561691dac185fdbb8f9ae39d5bf112473ba0cc460dfde8038
            • Opcode Fuzzy Hash: 2ad413bc5720362b710a96df999ec5f784e0897365ed4b9bb0e1843d07158d71
            • Instruction Fuzzy Hash: CD714CB5A022499FDB05DF99D990BEEB7F8AF48304F154065E905AB251E734EE01CB60
            Function 030D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: kLsE
            • API String ID: 3446177414-3058123920
            • Opcode ID: c5b14107be8d9bdf79a7411e76144f66b11465d419aa3a7a0e89c3c812590834
            • Instruction ID: d3bcd14fdd87b5e7c1a76ea7c133babe748407790044ce02320346a5d8f82050
            • Opcode Fuzzy Hash: c5b14107be8d9bdf79a7411e76144f66b11465d419aa3a7a0e89c3c812590834
            • Instruction Fuzzy Hash: 80417835503355ABE739FF69E844BA97FD4AB94B24F180218EDA05E0C9CBB444E1CBB0
            Function 030452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: ed5742b7fc386b1f02eed35198a16b3634be804ab00d896017dc95dc5212d987
            • Instruction ID: 94da3ed9091d03cbd090d1bdbc487e455519825d047a9723186c8904469f788f
            • Opcode Fuzzy Hash: ed5742b7fc386b1f02eed35198a16b3634be804ab00d896017dc95dc5212d987
            • Instruction Fuzzy Hash: D132CCB450A3118BDB64CF18C880B7EF7E5EF8A754F18492EF8859B290E735CA40DB52
            Function 03032FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @4Qw@4Qw$PATH
            • API String ID: 0-1814558670
            • Opcode ID: 6b0f4356fd5f45d6058e969ed26c421ba4aca574b10a23ee9908bf6f4807d2a3
            • Instruction ID: f12b9066f80884d7e8461151aad89192b376d44345807cd6525409e251b5d07b
            • Opcode Fuzzy Hash: 6b0f4356fd5f45d6058e969ed26c421ba4aca574b10a23ee9908bf6f4807d2a3
            • Instruction Fuzzy Hash: A9F1D179D01218EBCB29DF99D8C0AFEB7F9FF89700F488069E440AB250D774A851CB65
            Function 030FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: 74c32048e5223b09b5b3781b9a14089fe07b4505e6c2b11b50afed0a765aaebe
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: 1BC1AC313053469FDB24CE28C841B6BFBE5AFC4718F088A2DF6998AA90D775E505CF91
            Function 03030CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • ResIdCount less than 2., xrefs: 0308EEC9
            • Failed to retrieve service checksum., xrefs: 0308EE56
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: 4eafea79270065e136345daf0e1c5d3cacf522d438d782faac4cba7796192f4d
            • Instruction ID: dcd40f970afcf2de9ff8b21b913d212df072cdc292f5f84b987ab76a1180f8e3
            • Opcode Fuzzy Hash: 4eafea79270065e136345daf0e1c5d3cacf522d438d782faac4cba7796192f4d
            • Instruction Fuzzy Hash: C8E1E2B59097449FE364CF16C440BABFBE4FB88314F008A2EE5D99B280DB719949CF56
            Function 00402620 Relevance: 2.7, Strings: 2, Instructions: 214COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: d$gfff
            • API String ID: 0-1799034191
            • Opcode ID: 7c7e3d19d4338b95fbd49e97f60348eea0abdb1dce3251b4e656174b836c1395
            • Instruction ID: 6acde87ad6c99a728100d2cab21e4da7bca42db48d8945b2d20613de315a308f
            • Opcode Fuzzy Hash: 7c7e3d19d4338b95fbd49e97f60348eea0abdb1dce3251b4e656174b836c1395
            • Instruction Fuzzy Hash: 27610536B0010647CF1CCA5DCE5466AB3A6EBD4314F24827FD815EB3C1E6B9DD028688
            Function 0304F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$
            • API String ID: 0-233714265
            • Opcode ID: f58a54301a731edd541b7dbe3d45ac228a6a6304ec0eb20be266f6acdd08a518
            • Instruction ID: c29beed32028588c604be3680e5eddc318c42b0e0f9f54163c542693ab0436f1
            • Opcode Fuzzy Hash: f58a54301a731edd541b7dbe3d45ac228a6a6304ec0eb20be266f6acdd08a518
            • Instruction Fuzzy Hash: B7619CB5A0274ADFDB20DFA4C580BADB7F6FF88704F184469D515AF680CB74AA41CB90
            Function 0303A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Exit, xrefs: 0303A309
            • RtlpResUltimateFallbackInfo Enter, xrefs: 0303A2FB
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 50a24fc62a54443e8ab4c01b2c5765f568b247b54cb3ebba406c260d88fab3a3
            • Instruction ID: 673e30ff316efe91527e8f6917ca230a34723ddb313d68a85399e9ac601415c6
            • Opcode Fuzzy Hash: 50a24fc62a54443e8ab4c01b2c5765f568b247b54cb3ebba406c260d88fab3a3
            • Instruction Fuzzy Hash: 9041AE75B06649EBDB11CF69C840BAEB7F8EF86700F1844A6EC44DB291E335D940CB55
            Function 0306329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local\$@
            • API String ID: 0-380025441
            • Opcode ID: fca41c4d8a20400462e3d75e5e5dcf7f8bfbd88216bedbce57d913b0c2cac52a
            • Instruction ID: 76e552285e4c492136d58ec36078f4f0a96119e3ba52b5520ad7d98ac0e8c698
            • Opcode Fuzzy Hash: fca41c4d8a20400462e3d75e5e5dcf7f8bfbd88216bedbce57d913b0c2cac52a
            • Instruction Fuzzy Hash: 8631B5B950A314AFC350DF28C880A9FBBE8FBC5654F48096EF59587260DA31DD04CBD6
            Function 0303C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: 7bf55cb3bf180ef34fd9dd0b2054c6a866b5ac7481d7aa0351c8ed8f95cec5b8
            • Instruction ID: 41b360a012ad704890f08f87c5cb7d97f6583d1cdd0696e569322382d3d3a43f
            • Opcode Fuzzy Hash: 7bf55cb3bf180ef34fd9dd0b2054c6a866b5ac7481d7aa0351c8ed8f95cec5b8
            • Instruction Fuzzy Hash: 28823B75E022189FEB64CFA9C880BEDF7B9BF4A710F188569E859EB250D7309D41CB50
            Function 03082F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: P`?wRb?w
            • API String ID: 0-3112501033
            • Opcode ID: 997acb0f6f0a70ad5395fda872c8f8e98442976c040c4eed067f8ddd5f305a5e
            • Instruction ID: 8eb03598a5477123ba49a4b47124b7277ac4f49a31b20cb0d783775c84f33972
            • Opcode Fuzzy Hash: 997acb0f6f0a70ad5395fda872c8f8e98442976c040c4eed067f8ddd5f305a5e
            • Instruction Fuzzy Hash: E542037DD06259AADF69EFA8C4446BDFBF4AF84B10F1C84DAD4C1AB280D7348981CB54
            Function 0305FB80 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: IQwIQw@4Qw@4Qw
            • API String ID: 0-1113666773
            • Opcode ID: 7fb712e3519d6587cd216b97db38288d459474078b6d696ea532c7ec8df258b9
            • Instruction ID: 17ec7e614aa2226c1c555fb7fdd63bd1b1b1f170ab6ed4d4e743657849188103
            • Opcode Fuzzy Hash: 7fb712e3519d6587cd216b97db38288d459474078b6d696ea532c7ec8df258b9
            • Instruction Fuzzy Hash: 2E22C474A0160AEFDB54DFA8D880BEEB7B5FF88310F1485A9D8549B245D734EA81CB90
            Function 03037370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f7290d9976037c7302f9c7bdb418432e0892c74d41a307eb5c01d30e02e334fc
            • Instruction ID: 9c55e86f81da92d8406052f1445668c28662378fbc2726e2842738ad701a9e1a
            • Opcode Fuzzy Hash: f7290d9976037c7302f9c7bdb418432e0892c74d41a307eb5c01d30e02e334fc
            • Instruction Fuzzy Hash: 37A18BB5609342CFD724DF28C480A2BBBE9BF89704F144DAEE5858B350E770E945CB92
            Function 03052E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 45d270b4249ea05a8b60fe3cc8b30fa7e6f64d650bbb1fc19cfa406b4d7b5a50
            • Instruction ID: c9c990d346957b71609c863fe5594e40f0f6758b64353e1e3267419fa2d1bec4
            • Opcode Fuzzy Hash: 45d270b4249ea05a8b60fe3cc8b30fa7e6f64d650bbb1fc19cfa406b4d7b5a50
            • Instruction Fuzzy Hash: 27F19D7960A745CFDB65CF28C490B6BBBE5AFC8650F0948ADFC898B240DB30D945CB52
            Function 004168D3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: 909e4fd7064320abce83f4abc93d9c6d057b2f37113d79d8bb154cac043e28a7
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 15021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 0305FDC0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: IQwIQw@4Qw@4Qw
            • API String ID: 0-1113666773
            • Opcode ID: 089a59c152eb2f69006e61fb8c44f548dd971fb79c9f4bc1b90a8bc5019bd61b
            • Instruction ID: ee1fd64a80163bdd60f490d95839840bb51cbada5eee83c7d9395fd508d528f9
            • Opcode Fuzzy Hash: 089a59c152eb2f69006e61fb8c44f548dd971fb79c9f4bc1b90a8bc5019bd61b
            • Instruction Fuzzy Hash: CEF1C274E01609DFDB54DFA8D880BAEB7F5FF48304F1885A9E805AB245E734DA85CB90
            Function 0306F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c3392251bc09950394c59591d9f8116871311ec335130abc6d5c424e765f72f
            • Instruction ID: 454d07413ffc4edff9aaa9554223aa7fab8f2504b92fa923bb225e516691f2da
            • Opcode Fuzzy Hash: 9c3392251bc09950394c59591d9f8116871311ec335130abc6d5c424e765f72f
            • Instruction Fuzzy Hash: F14158B4D01288EFDB24DFA9D880AEEFBF4FB48300F14856EE859A7215D7319950CB60
            Function 03030100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: f04ebcaffb36684a662232892a12bffc9cc331a60a9eb45958f4f3e46abc91e6
            • Instruction ID: e41e1c701bcdcd0ceaaf26b7c177fc6dc3fe64e65673281a147513ff365b5ba2
            • Opcode Fuzzy Hash: f04ebcaffb36684a662232892a12bffc9cc331a60a9eb45958f4f3e46abc91e6
            • Instruction Fuzzy Hash: C5A11A75A0B3686BDF68DB29C840BFEA7ED5F86304F0844E9EDC76B281C6748940CB55
            Function 0306A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalTags
            • API String ID: 0-1106856819
            • Opcode ID: b12f146b2d4703e31bd5cdfb87f18b4205055b8d51d73d803e69ffff66fd635b
            • Instruction ID: e49cf152f8883171c88ea49c6e1a809be28bfb7f107a175d531bdf996004ca1e
            • Opcode Fuzzy Hash: b12f146b2d4703e31bd5cdfb87f18b4205055b8d51d73d803e69ffff66fd635b
            • Instruction Fuzzy Hash: D6717075E0260ADFDF68DF9CE5906EEBBF5BF48700F18856AE805AB244D7328941CB50
            Function 0303973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction ID: 95f9c03d16eb5fd41f35a9306944a51a679dd051e46857a58ec60d9933fde80c
            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction Fuzzy Hash: 79615B75D02219ABDF21DF99C840BEEFBFCEF85714F14496AE810A7290D7749A01DBA0
            Function 0302B2D3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 04Qw04QwIQwIQw@4Qw@4Qw
            • API String ID: 0-3236230031
            • Opcode ID: 0c0374915bceaddb469843fccb61de85380ddc5ade7faed4426d2d3e679869ea
            • Instruction ID: 2b53d841c5ac328135257eb526c37482cc3db0d83521beee7f0d65a10d09a6ac
            • Opcode Fuzzy Hash: 0c0374915bceaddb469843fccb61de85380ddc5ade7faed4426d2d3e679869ea
            • Instruction Fuzzy Hash: F3415775202710AFD725EF29D880B6ABBE9FF84710F144869E5599B350D770DC50CBA0
            Function 030BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction ID: 1c0bc35c4426eebf990ac5f5b4721e2764ca68dafe18bccfb8ed8a834f8e663b
            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction Fuzzy Hash: 24517876616306AFD721DF54CC40FAAB7F8FB84750F040929B9809B290D7B5ED14CB96
            Function 0304E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: EXT-
            • API String ID: 0-1948896318
            • Opcode ID: 36723d1c7b7fc8f34dd7cee01de121eb7ccf13501ebaf6ab092fa0236b476756
            • Instruction ID: 3d4f57a98735b78ad0c5187f51d04d5590476fd2813bdd6fbcfcf8b2b77a3f55
            • Opcode Fuzzy Hash: 36723d1c7b7fc8f34dd7cee01de121eb7ccf13501ebaf6ab092fa0236b476756
            • Instruction Fuzzy Hash: 65415EB650A3119BD710DA65C984BAFB7E8BF88714F440D39F984DB180E774DA04C796
            Function 030EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PreferredUILanguages
            • API String ID: 0-1884656846
            • Opcode ID: d2d85bef1ef9940b388b9d4f83440c9ea70c57be7fcb2e5f45bb071c4eb54a8e
            • Instruction ID: 70a05504b3309c5b10be8e8a00fd0dbd427387c3b867f05ae1e00f0eabce5d70
            • Opcode Fuzzy Hash: d2d85bef1ef9940b388b9d4f83440c9ea70c57be7fcb2e5f45bb071c4eb54a8e
            • Instruction Fuzzy Hash: 4841E476E06219AFCF11DAA8C841BEEF7B9EF84710F050566E911FB254D6B0DE40C7A4
            Function 030AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: BinaryHash
            • API String ID: 0-2202222882
            • Opcode ID: 6829e7c5f9394e8aa8b4a7edbcc458e50df3284faad2a2541d3ed1a084affb25
            • Instruction ID: 791806b1309eb78c20f83f882b001ef1764ce0825e14a82a1d952ed3ea1dc910
            • Opcode Fuzzy Hash: 6829e7c5f9394e8aa8b4a7edbcc458e50df3284faad2a2541d3ed1a084affb25
            • Instruction Fuzzy Hash: CB4145B5D0262CABEB21DB94DC84FDEB77CAB44714F0145E5A608AB140DB709E498F94
            Function 030B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: verifier.dll
            • API String ID: 0-3265496382
            • Opcode ID: fb40c903c5e2489212132e07b1a50d761a81bf1f02235bce080c02875a91b296
            • Instruction ID: 4d2259253a0eb1bb727564406aa9c18fb32999efd0e6e68c0a77c2ac7fd5b5c6
            • Opcode Fuzzy Hash: fb40c903c5e2489212132e07b1a50d761a81bf1f02235bce080c02875a91b296
            • Instruction Fuzzy Hash: F8317375A01301AFDB64DF699890BB6B7F6EB8D710F588479E609DF2C1E7318C8087A4
            Function 03029730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: L4QwL4Qw
            • API String ID: 0-1417497668
            • Opcode ID: 09f54f9047ad472d8de1e70edc9f058053fd82ef10a1f8454158be66be2e3e91
            • Instruction ID: f8a724558f31ee711d73b729399d619d4d6d354fb4266215720d2c839914cc83
            • Opcode Fuzzy Hash: 09f54f9047ad472d8de1e70edc9f058053fd82ef10a1f8454158be66be2e3e91
            • Instruction Fuzzy Hash: 4A21B675602B24AFC321DF588400B5BBFB5FF88B50F150879A9659B751D770E921CB90
            Function 03035096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx
            • API String ID: 0-89312691
            • Opcode ID: b0be5488eaa43b68f54937da00b9d90900c1f5f23c46c96db766b3001a1f7fcd
            • Instruction ID: a39ed2375f79d8d2b769ab9594492ea9c8c147f26f82a295721ac18d7508b499
            • Opcode Fuzzy Hash: b0be5488eaa43b68f54937da00b9d90900c1f5f23c46c96db766b3001a1f7fcd
            • Instruction Fuzzy Hash: D41166307075028BEB64C91D8C516BAF2DDEB97264F3C492AD451CB3B1D673D8418780
            Function 030B106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrCreateEnclave
            • API String ID: 0-3262589265
            • Opcode ID: 8427451ba46bc6ee7483c465b8aae6b8c57a3884628fe0288d197b239215f543
            • Instruction ID: 851250bcb64cab855bce571b922e8a6e2955c701108b611ba491171fc5b429d1
            • Opcode Fuzzy Hash: 8427451ba46bc6ee7483c465b8aae6b8c57a3884628fe0288d197b239215f543
            • Instruction Fuzzy Hash: A42115B1509344AFC324DF1AD844A9BFBF8FBD5B00F104A1EF5A09B250E7B09505CB96
            Function 0306E8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0ac7564ea8a35b6c2e7e1a05ee6489b70892fe00347a65bdf56e5cb961a42aba
            • Instruction ID: 4085d360ace4c7b0517a40027efb799f807afa12d5d64a1cd2efdaed4a611623
            • Opcode Fuzzy Hash: 0ac7564ea8a35b6c2e7e1a05ee6489b70892fe00347a65bdf56e5cb961a42aba
            • Instruction Fuzzy Hash: 80824472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB349DA34AC568B45
            Function 0307516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 075f7a4758ae7b780609c925abc9a58ed24efbc524900986108974868b961305
            • Instruction ID: 85e923949842ce076e431d66af8af00c764607a86a73b7f4bef0b7b8d846a4bb
            • Opcode Fuzzy Hash: 075f7a4758ae7b780609c925abc9a58ed24efbc524900986108974868b961305
            • Instruction Fuzzy Hash: F3628132D0664AAFCF24CF08D8904EEFBA2FE56314B49C59CC89A27604D371B955CBD9
            Function 0308739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7eb5aed3955f605c5b7548740e048c3ed2b4b268efe91a8d6a29b1027f8205d1
            • Instruction ID: 49e6e51195824f672b8696c59d89f19a50d184ea50c1eeee63c2c1d8cd9d9860
            • Opcode Fuzzy Hash: 7eb5aed3955f605c5b7548740e048c3ed2b4b268efe91a8d6a29b1027f8205d1
            • Instruction Fuzzy Hash: C042D375A026168FDB18DF59C4806BEF7F6FF88B14B28856DD592AB344D730E842CB90
            Function 03085AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 0305B2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abbdc3ceaafea9791a5f051807acc3db9b5ff6b158b3abfddcd566c6a7f1e5ad
            • Instruction ID: 44279d0a44a64d487817d550afc94fa377e9a08fec79d91a3f8921734e2c935e
            • Opcode Fuzzy Hash: abbdc3ceaafea9791a5f051807acc3db9b5ff6b158b3abfddcd566c6a7f1e5ad
            • Instruction Fuzzy Hash: 6E329F75E02219DFCF24DF68C894BAEBBB5FF94714F184029E805AB381E775A911CB90
            Function 03042840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf97de1130d6ceeea5a4244f3c66bb48c84f99427810e2aadbae4471fe581434
            • Instruction ID: 32d9493f9475a9b918400dc5427efe4df6054115ce88c2fa5bd92e7867ee9894
            • Opcode Fuzzy Hash: cf97de1130d6ceeea5a4244f3c66bb48c84f99427810e2aadbae4471fe581434
            • Instruction Fuzzy Hash: 8A32FF74A027198FEF24CF69C8447BEFBF6AF84310F18456EE4869B684D736A841DB50
            Function 030DA118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 979873a2573b12ea4bd624a7546f756ac825f4cca7c365771f808a90b5528d7f
            • Instruction ID: a25604a5b0a8f935929d9bb90fdbd82086e32651b001c47ad6a475a865e9e99e
            • Opcode Fuzzy Hash: 979873a2573b12ea4bd624a7546f756ac825f4cca7c365771f808a90b5528d7f
            • Instruction Fuzzy Hash: C122BC74706751CFDB64CF29C494376B7F1AF44300F08889AE8968F68AE739E592CB64
            Function 030F16CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1cfa0a8839a9b046b9a76791b18719bffa94b70ebc565937c8bfcc5181c6289f
            • Instruction ID: e03bb2487a9c73ae3c1a32c0b8f6e1bff45996c08ea0d73b12b5d10d21c1ee56
            • Opcode Fuzzy Hash: 1cfa0a8839a9b046b9a76791b18719bffa94b70ebc565937c8bfcc5181c6289f
            • Instruction Fuzzy Hash: 9122B135A02216CFCB1DCF59C490AAEF7F6BF88314B1845ADDA569B744DB30E942CB90
            Function 030F1D5A Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a4c67c3336748d8de0ccfd4bade89cf86f40434a349ab90740df031f07d31a0
            • Instruction ID: ee5fc939aa00eca1f82ac110c9ce92ff37dddeb51638897d7641ebcaa1090a30
            • Opcode Fuzzy Hash: 4a4c67c3336748d8de0ccfd4bade89cf86f40434a349ab90740df031f07d31a0
            • Instruction Fuzzy Hash: AF22B1796063129FC758CF18C490A6AF3E9FFC8314B184A6DEA96CB751D730E846CB91
            Function 03058DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ea30d8a7a2a6b7e93268597b7c05d89476f40f3a1e5e49a8edf03285fd8adaa8
            • Instruction ID: 271cef7b41e41a1e6ae24008149aae819d152e78103b8610e8c78be9e27db252
            • Opcode Fuzzy Hash: ea30d8a7a2a6b7e93268597b7c05d89476f40f3a1e5e49a8edf03285fd8adaa8
            • Instruction Fuzzy Hash: CB224E74E4121ADBDF58CF95C480ABEFBF6BF88304B18849AEC45AB241E734D941DB64
            Function 030F2446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2cad59c6296e2c7ab788b3de65f0ce45fed1564bec383af2ac9aa3a137c3541c
            • Instruction ID: 7732b0d685b759c2469dfd6ce1164faf92ccdbc88523fae8b2f54ef094fd027b
            • Opcode Fuzzy Hash: 2cad59c6296e2c7ab788b3de65f0ce45fed1564bec383af2ac9aa3a137c3541c
            • Instruction Fuzzy Hash: B40217386066518FDB54CF2AC45037AF7F9AF85300B188D9ADAD6CFA81D734E852DB60
            Function 0310B16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 42b1cb1ff3493f156f92013c1eea42ca8b03910fe9694bc9aa20fd4dbe3ff8d8
            • Instruction ID: 69c7a6082174aaa40707379d7f0143635ced38801b3785a56e243aca396cf144
            • Opcode Fuzzy Hash: 42b1cb1ff3493f156f92013c1eea42ca8b03910fe9694bc9aa20fd4dbe3ff8d8
            • Instruction Fuzzy Hash: 9CF1E672E046159BCB18CFA9C9A067EFBF5AF8C21071981ADD456DB3C0D7B4EA41CB90
            Function 00410173 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: 1d7445901ad3d4edfdedc228e69f0dcd04ca8f524cba06b69e646b19a8f1f8f6
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: D7026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
            Function 0310A9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0209d6c0643eac48232475be1cc6da9855622741d12e88e44abf27943a4b3468
            • Instruction ID: a8b9758fefbe13c39e023b5f49e55463c7503aa4f0c784dee5beb78217c21223
            • Opcode Fuzzy Hash: 0209d6c0643eac48232475be1cc6da9855622741d12e88e44abf27943a4b3468
            • Instruction Fuzzy Hash: D3F1A673E006269BCB18CF69C9A05BDFBF5AF4921071A4269D856EB3C0D774EE41CB90
            Function 00402073 Relevance: .4, Instructions: 383COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e46fd6d0a1d841b8604bbc54a2ac79415a4bbf07894b8e283f8db1d19a4d9b86
            • Instruction ID: 927d3428b01d58fea038c7f0fc5786fa773a0886d2df4d44e84bea54f7504ba6
            • Opcode Fuzzy Hash: e46fd6d0a1d841b8604bbc54a2ac79415a4bbf07894b8e283f8db1d19a4d9b86
            • Instruction Fuzzy Hash: ABB144316181858BCB29D978C99C2D97BA2EB9A354F1C41BEC440EF7C3E67E8807C385
            Function 03028397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ede714303146304ca0be42729426844294ce78d52d56ef8a13d33325dbc71e25
            • Instruction ID: aa1835876db254bdf5c2c58d8a64dd0323282c5772348032d6f1779fdbf775c9
            • Opcode Fuzzy Hash: ede714303146304ca0be42729426844294ce78d52d56ef8a13d33325dbc71e25
            • Instruction Fuzzy Hash: B6D1D379A027269BCF14DF64C890ABFBBE5FF84304F088629E955DB280E734E954CB50
            Function 0305C6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be33280380d21a287aa5083962b18ca25955d26cf3e55d0c1aec884032e2680d
            • Instruction ID: fa7252b2c8c7523a791732648f6cb91b34194bb8cfe49c060eb57a545ef3d02c
            • Opcode Fuzzy Hash: be33280380d21a287aa5083962b18ca25955d26cf3e55d0c1aec884032e2680d
            • Instruction Fuzzy Hash: 0BD16971E063198BFF68CE98C5843BFBBF5FB44304F18846AE842AB294D7749981DB44
            Function 030438E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8b6f297fa0e3a42d335ff97366071c0ea4d541c6dc68394760e026d0b5c5b7ef
            • Instruction ID: 0c3a5230599f2b7ff4063204ac91b8ff6d79e0aa05613a403f4b5f227e97ee8b
            • Opcode Fuzzy Hash: 8b6f297fa0e3a42d335ff97366071c0ea4d541c6dc68394760e026d0b5c5b7ef
            • Instruction Fuzzy Hash: C5E18EB5A01209DFDB18CF58C880AAEB7F5FF58310F1885A9E555EB391D730EA51CBA0
            Function 0304CFE0 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5ba8e82d04d17ca40800407588e5e61dbc38ce6f7e9a0452b7ba0d09a6a0220
            • Instruction ID: 09c780cafac73c8f400298850e50318a58ec49842c88116627abc2447c2e3e3b
            • Opcode Fuzzy Hash: a5ba8e82d04d17ca40800407588e5e61dbc38ce6f7e9a0452b7ba0d09a6a0220
            • Instruction Fuzzy Hash: B4D1B5B0B023199FDB74DB19C890BAAF7F5AB89300F0840F9D9099B252D774AF85CB51
            Function 0303D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07d899bfe9645ffc3de00dd793dccc43ed7f0e30cb845da62d5a67e8ff68c44c
            • Instruction ID: 9adce39842611a7664c795596c1db79a940a0e5dc229572d27cfe810bb05eb30
            • Opcode Fuzzy Hash: 07d899bfe9645ffc3de00dd793dccc43ed7f0e30cb845da62d5a67e8ff68c44c
            • Instruction Fuzzy Hash: DDC1B571E026159BEF24CF5EC840BAEF7F9EF85310F188269D815AB290D770A942CB80
            Function 03040535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 1e2f69acab08b329b9c19d9e7a577e9ad2ae5d56289c7f90c900695ffd1eb6e9
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: DCB105B5702645AFDF21DB69C850BBFFBF6EF84200F1805A5D652AB281D730EA41DB50
            Function 030590DB Relevance: .3, Instructions: 287COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7e52e4262f6ecd2f8d2597b3a8aa7cf1a2ee0a41e726facf86524c3c63e64612
            • Instruction ID: 34c632112587c199835e7ebbf360b5feafa13d06880bd36818b2921a0dfd9b6e
            • Opcode Fuzzy Hash: 7e52e4262f6ecd2f8d2597b3a8aa7cf1a2ee0a41e726facf86524c3c63e64612
            • Instruction Fuzzy Hash: 01A17B75941209AFEB16EFA4CC81BAFB7B9EF89750F044064F900AF2A0D7759D10DBA4
            Function 030383C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fd3f9fea33a3eb3e4726c93f726312c09362473606e6ee776320f29a1718ad8
            • Instruction ID: 42f07aac92f5a71a172606bf528a044772a467189b1c80634002d949c30bffe8
            • Opcode Fuzzy Hash: 2fd3f9fea33a3eb3e4726c93f726312c09362473606e6ee776320f29a1718ad8
            • Instruction Fuzzy Hash: C0C149746093418FEB64CF15C484BAAB7E9FF88304F44895EE9898B690D774E909CF92
            Function 03070185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ee05be703cecf15129cc6a250d89943b9bb0b7d51b1ef430ac76ee454b96172
            • Instruction ID: 2b7f2548cff5b61641f716775494af0f58ed5b02ddabbc45b4b79641c68ee2c8
            • Opcode Fuzzy Hash: 9ee05be703cecf15129cc6a250d89943b9bb0b7d51b1ef430ac76ee454b96172
            • Instruction Fuzzy Hash: BEA1E3B1F02719DBDB24DFA9C890BAAB7F5FF44314F044629EA459B280DB34E851CB54
            Function 0304E3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5e72a1704ac629576adbbbce6281459955d142593b4749eaca95b75161fe1327
            • Instruction ID: 126504e6346bc4e030ddb0b75c410d61560e541abbe6bd23650969702d1e32a2
            • Opcode Fuzzy Hash: 5e72a1704ac629576adbbbce6281459955d142593b4749eaca95b75161fe1327
            • Instruction Fuzzy Hash: 6A9124B5A026159FEB24DB68D440BBEB7E5FFC4710F0944BAE8059B680E734DA41C791
            Function 03031131 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c9fef6c897d2d17b6968b1edeec42b607ad0362455a3d1f3e1033e33f291d96e
            • Instruction ID: 8f81a72e5d5eb484922736cf5c7595b9d98c70d1d2051abec1076ad322523334
            • Opcode Fuzzy Hash: c9fef6c897d2d17b6968b1edeec42b607ad0362455a3d1f3e1033e33f291d96e
            • Instruction Fuzzy Hash: D7B111B5A0A3418FD354DF28C480A5AFBE5BB89304F18496EF899CB351D371E945CB42
            Function 03064750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: fdfc547320b40497bc1fd9cf6591633653364db20fb8d66396fa73c2c79fdda7
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: 15814B35E06796CFDB21CEEDD8C027EBB95EF52200F2C4ABAD4429B245C364D886C791
            Function 0307DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: 0d0033a06d34d755159429db4ec05bfd9f6290c5cfd4e435e8ce3f4337cf885f
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: 22915172A21A06CFD765CF2DC885766BBE0FF55324B188A18D4E6DB6A0C375E911CB04
            Function 030FF7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e62a17b4fa4d11a460a4398f06cd4bb3aeef484526926727dbfdd31f856e6955
            • Instruction ID: 0dfb45cc1e70212a57f472e779a03d15a3117308225551a5e65964fc6b63e504
            • Opcode Fuzzy Hash: e62a17b4fa4d11a460a4398f06cd4bb3aeef484526926727dbfdd31f856e6955
            • Instruction Fuzzy Hash: 66910572E05207AFDB54CF28C8807AAB7E5EF88310F188578EA55DB681D774E952CB90
            Function 030FF43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1d6d1201b75a710dee00d70124d55f84bc64ea7d7088b814371f96ae37762702
            • Instruction ID: 321d9567f28f000dcbfdc0a54f68165fe51829b7185210683a733f5e51f0c902
            • Opcode Fuzzy Hash: 1d6d1201b75a710dee00d70124d55f84bc64ea7d7088b814371f96ae37762702
            • Instruction Fuzzy Hash: A591E272A011159FCB18CF69C8906BEBBF1FF88310F1986B9D915DB795DA34E901CB50
            Function 030F81CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b977df68cec1e72354baa23e8bf1f5fc25767aa0b2497e1d4d7bf5ec1202c41b
            • Instruction ID: 5ec3c55d39e780dff86402d0b1daaa5ace230e997447f7c1264fce8a886554da
            • Opcode Fuzzy Hash: b977df68cec1e72354baa23e8bf1f5fc25767aa0b2497e1d4d7bf5ec1202c41b
            • Instruction Fuzzy Hash: E481F672E015199FCB54CF69C8805EEB7F5FF88310B18876ADA25E7A80D734E951CB90
            Function 03040E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ebd2ad1866ea02bd204d01ac2354c87b1f2cec99d1b0af6edf7f039379861b9d
            • Instruction ID: 29685638beb9a134ffa75de87d0b273deea5590f8156aa8b75ed962f91f3b200
            • Opcode Fuzzy Hash: ebd2ad1866ea02bd204d01ac2354c87b1f2cec99d1b0af6edf7f039379861b9d
            • Instruction Fuzzy Hash: 1A81A771A01619DFDB54CE5AC8809AEFBF2FFC5210B28C2B5E914AB345D731EA41CB90
            Function 030EE4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8da0c2e5b2dffaf9b88047e746dc872c66050d0fe574d3c21fa1a0495867874a
            • Instruction ID: ecac3523c7088ff893ff6054a2b4cb01304683786b5c192d69deac98243f07e5
            • Opcode Fuzzy Hash: 8da0c2e5b2dffaf9b88047e746dc872c66050d0fe574d3c21fa1a0495867874a
            • Instruction Fuzzy Hash: 38816E76E012199FCB28CF99C5906ADFBF1EF89310F1981AAD816EF385D7349941CB90
            Function 030FAB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: b8fddad4c3ee51c7c55ddfb800a893f06448cac4458cfdb3ce269bf0f4f8be61
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: 44816D35B112099FCF58DF98C890AAEB7F6AF84310F188569DA1A9B745DB34E901CF90
            Function 0305D090 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction ID: b5c45f6bd51d6dab502d98670d1584e0d3e1dd91f8d1275bb41889e1edfe7e63
            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction Fuzzy Hash: 45817A76E021199BEF14CF68C8807EEF7B2EB84344F19856BE816AB344D6319E40CB95
            Function 0306E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f8aae12723d77986b1c546c72c513a2bdb6b2a799c269ea511a1172bb64ff90
            • Instruction ID: 5f927cc196020d9924f1ac25be27af81e294bf155b3fff8e8c7c093d360cd6ac
            • Opcode Fuzzy Hash: 8f8aae12723d77986b1c546c72c513a2bdb6b2a799c269ea511a1172bb64ff90
            • Instruction Fuzzy Hash: 13818C75A01709AFDB25CFA9C980AEEF7FAFF88340F148429E556A7254D730AC05CB64
            Function 0305B950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cae8b81e5f3b0e2f4ae39acc43dcbcb9197e04a08b8fe15e1faa34508b69bc33
            • Instruction ID: aa28343e0d986fe75151ba581619a084a2dece1d2954fd842512f66f7cc7b926
            • Opcode Fuzzy Hash: cae8b81e5f3b0e2f4ae39acc43dcbcb9197e04a08b8fe15e1faa34508b69bc33
            • Instruction Fuzzy Hash: F271E4343067509EEB64CE2AC94077BB7E1AB85744F18895EFC968B5C4DB36F802DB60
            Function 0304C640 Relevance: .2, Instructions: 206COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c456f62371e0837b5fd57d2f08253fb689ebd7e54222b0071158d14edd45263
            • Instruction ID: f28bf0fe1f67ce21e5b8b87b3e93514f3dfda6edbaf90c61f94fc20f9ab7e683
            • Opcode Fuzzy Hash: 8c456f62371e0837b5fd57d2f08253fb689ebd7e54222b0071158d14edd45263
            • Instruction Fuzzy Hash: 3371CCB5C03265AFEB25CF59C9907BEBBB4FF59700F14856AE842AB350D7709940CBA0
            Function 030EDAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4939549a5f3d9eeced78660b83cea57c782db9ec790fdcb0e70954036f8a9dbe
            • Instruction ID: e6a0e4cc1e51f4809d574c7a74b4143af0968e4f448189e0f11414e81b444232
            • Opcode Fuzzy Hash: 4939549a5f3d9eeced78660b83cea57c782db9ec790fdcb0e70954036f8a9dbe
            • Instruction Fuzzy Hash: 3E81AD70E052A6DFCB24CF6AC441AAAFBF1EF49740F04889AE495AB285D374D841DF50
            Function 030F70E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c68d84f49fe25dccab7f91731f38269edba46cb144b2fb6f803c0900bfea210
            • Instruction ID: e8d04360c4c0430be43fc46615b952ea40ca613701302fd1a211ab061b41f998
            • Opcode Fuzzy Hash: 4c68d84f49fe25dccab7f91731f38269edba46cb144b2fb6f803c0900bfea210
            • Instruction Fuzzy Hash: D561F975E023169FCB54EEA9C8809FFB7BDBF84A40F044439EA119BA40DB70D9458B92
            Function 0304260B Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f5cc47595186c17a5a26ec5acae05db6b4bc981e0130bc107dba778d42556537
            • Instruction ID: 7d0af11ca2ce390e0551700a2f48fe748cd93fb9e41a1e2392afeb26e48622c4
            • Opcode Fuzzy Hash: f5cc47595186c17a5a26ec5acae05db6b4bc981e0130bc107dba778d42556537
            • Instruction Fuzzy Hash: 8D71CEB57066419FD351DF28C480B6AB7E9FF88310F0989BAF8988B351DB34D945CB91
            Function 030EF0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d74a2be646ea590907ce2ce4ac8db71aa24c8c7b1917204384765a0c8280fad4
            • Instruction ID: 4a4de8275d73764f9dec39fcca5e66e56b3e577fbd8f482e97b36d0f350cfe81
            • Opcode Fuzzy Hash: d74a2be646ea590907ce2ce4ac8db71aa24c8c7b1917204384765a0c8280fad4
            • Instruction Fuzzy Hash: 2F717D79B02627DFCB68CF5AC08017AF3F1BF84705B6A48AED85297640D774E991CB60
            Function 030B035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: 3aa48a03fe0c5de62181e58d39646de864c1226a4d64f55876d5a260b9e4dbf1
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: 27716DB5E01619AFCB10DFA9C984ADFBBB8FF88700F144569E505AB650DB34EA41CB90
            Function 030C62A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3e6fb7be9b1390fe62d7e2bfcddfeeec8ba402bb3ffc34c2ad2d7c2990f49c97
            • Instruction ID: b67bc7a284052e727d1d5f4a36d22eb8ccbd0e284aa6ed96934b3ce2fcb3d2c8
            • Opcode Fuzzy Hash: 3e6fb7be9b1390fe62d7e2bfcddfeeec8ba402bb3ffc34c2ad2d7c2990f49c97
            • Instruction Fuzzy Hash: 57710136212B48AFD731DF14C844FAEB7E9EF84720F18492CE2568B6A0D776E944CB54
            Function 030F7A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 03f8f6e9de6850fa956c575d60eae68d9587248525660f763705c68f4d98b686
            • Instruction ID: 5b6159ad1dc813daf23bcf21033665caf6d26112b522d3f9870c3a63ee3b0422
            • Opcode Fuzzy Hash: 03f8f6e9de6850fa956c575d60eae68d9587248525660f763705c68f4d98b686
            • Instruction Fuzzy Hash: F8516975A012295FCB18DF69C880ABEB7E6EFC8750F184169EA50DB780DA34C902C7A0
            Function 030F132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8d75124e2b8701f51f5dae9a863607142ab3535aa540f1b15ccf96d4cd20ba17
            • Instruction ID: e50a9d45b9d6d4acbc6266ffc2c89d2e23ecb559f6965a7858ce05a5fa74c66f
            • Opcode Fuzzy Hash: 8d75124e2b8701f51f5dae9a863607142ab3535aa540f1b15ccf96d4cd20ba17
            • Instruction Fuzzy Hash: C4819175A01205DFCB09CF99C490AAEB7F1FF88300F1981A9D859EB745D734EA51CBA0
            Function 030F903E Relevance: .2, Instructions: 186COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5889e134cabd421848c8a073f8a8c211a8af8e43c48f2801905791e00cd8f07f
            • Instruction ID: 511bb96c3b9795cfdfa52b1397a406fc34fc57d072c762c7369160001a9dcd73
            • Opcode Fuzzy Hash: 5889e134cabd421848c8a073f8a8c211a8af8e43c48f2801905791e00cd8f07f
            • Instruction Fuzzy Hash: 6361E075602715AFD395DF68C884BEBBBE8FF88300F048629FA5887A40DB30E510CB91
            Function 030FFCF2 Relevance: .2, Instructions: 181COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf183d7469ec1224c9e04b61a4ff5f4a41b7bde11582c75d7465f1447cb395c
            • Instruction ID: d53bfece4122b8d14cd57bd39665abe680e7b61f510f87f2a7a2e339bcd6be26
            • Opcode Fuzzy Hash: 0cf183d7469ec1224c9e04b61a4ff5f4a41b7bde11582c75d7465f1447cb395c
            • Instruction Fuzzy Hash: F961B071A0120BAFCB14DF68C880BBEB7F5FF88314F248969E615EB685D730A955CB50
            Function 03037703 Relevance: .2, Instructions: 179COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f721d83b370ce407925e0b89eecdb6a619296e95cd2ddb63691200f89ce916ea
            • Instruction ID: b4950fcc0fea99eed6825c0091e2c758d5ac0255c7bd69639e1aa3c774d26784
            • Opcode Fuzzy Hash: f721d83b370ce407925e0b89eecdb6a619296e95cd2ddb63691200f89ce916ea
            • Instruction Fuzzy Hash: 516143B5A01606EFDB58DF68C480AADFBF9FF89600F18856AD519A7340DB30A951CBD0
            Function 030F92A6 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d867114a9f0bc5dc6947f57ce01067aee2727053087729fec35949b382f75545
            • Instruction ID: c0831ccc48da14544a45a5929b88f47fb68341a5d8cb46bac9911fb577f08960
            • Opcode Fuzzy Hash: d867114a9f0bc5dc6947f57ce01067aee2727053087729fec35949b382f75545
            • Instruction Fuzzy Hash: 836138356067428FD351CF64C494BAAF7E0FF90304F1C486DEA858BA91DB75E806CB81
            Function 030FCE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: 3eac2480614a85d71ad68f1e2321508fe0b67bce101aad4ae885a5db9b4ecb8e
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: 0551483260630A8FE714DE2C88527ABF7D6AFC1250F1D887DEA56CB649DB30D909C791
            Function 0040FF53 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: 2948c7844e8bf5681bf2219b824e50f63151c4f0def850ce58ccbf78af4cf3ed
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: F05173B3E14A214BD3188E09CC40672B792FFD8312B5F81BEDD199B357CE74E9529A90
            Function 030F7D73 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 933ff0d61e98b2325fbdc9a2e057a38880d7fe25c27d826d14492b3674c7d7f2
            • Instruction ID: 4ec04ff747767521172b5acba06e9b6e5e2f5be5284170fab12134c102e869eb
            • Opcode Fuzzy Hash: 933ff0d61e98b2325fbdc9a2e057a38880d7fe25c27d826d14492b3674c7d7f2
            • Instruction Fuzzy Hash: 5451C136A1014A8FCB08CF68C480AEEB7F1EF98314B19827AD915DB355E734DA15CB90
            Function 03043740 Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c89112f900db62a8ba05ef05b051eb1b8b594ae668ae5ad77ff338e79d9bc6c1
            • Instruction ID: a27ef3e439f2fed6fe1bb125d4e929e49d4e07c125864cf03e60d5d2dd11cd03
            • Opcode Fuzzy Hash: c89112f900db62a8ba05ef05b051eb1b8b594ae668ae5ad77ff338e79d9bc6c1
            • Instruction Fuzzy Hash: BE5113B9A02616AFC721CF68C4806A9F7B4FF44310F0855B9E845DB740D734EAA1CBC0
            Function 03037152 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4abcb59eddbc1af42f49115dd09901bb1299d6a978a060d7579be9ed6223f2b
            • Instruction ID: 024790389662b840e16fa2136336f4ff3493df3b6add9b87ec40d24eb74993b6
            • Opcode Fuzzy Hash: b4abcb59eddbc1af42f49115dd09901bb1299d6a978a060d7579be9ed6223f2b
            • Instruction Fuzzy Hash: AC5112B5A0260AEFEF19DF68C844BAEF7F8FF45710F1444AAE40297290DB709911DB90
            Function 030B3A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1963c8d3ff3f15b007749dc942c7d7d394d907e5608c82d165e4c2a2160d5491
            • Instruction ID: f356b64182213d80d52aef93a68c2ef86218a94afd62f4ccbde7f18a46ca6901
            • Opcode Fuzzy Hash: 1963c8d3ff3f15b007749dc942c7d7d394d907e5608c82d165e4c2a2160d5491
            • Instruction Fuzzy Hash: 9E51BE36E4012D4BEF24CA68D461BEFB3F2EB88310F580859E945BB3C4C3B66966D554
            Function 030AD800 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: af156f0134cbf90f1259ef8b5593f4c5c46c7c4bc62141847b00ed071028dbfe
            • Instruction ID: 90898d983daa67f2cf5f05798b3acfb02d43f051970ccf90c903cbb3cd29ae57
            • Opcode Fuzzy Hash: af156f0134cbf90f1259ef8b5593f4c5c46c7c4bc62141847b00ed071028dbfe
            • Instruction Fuzzy Hash: 4151D374A02A15EBCB54DF9DE4A0ABEB7F4FF45700F08415AE841DBA90E734D950CB90
            Function 030FD26B Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction ID: a9e854b9030e5fb387ab1224560f6d798a4d983363746feddceeeb8614263423
            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction Fuzzy Hash: F4517D766097429FD311CF28C884B5ABBE6FFC8344F08892DFA949B644D734E945CB52
            Function 030F7571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2007a53033cd529413232225aafe525a2254d7a06d259cc7ce896cb95d30c35b
            • Instruction ID: 1ca63832625d18eb019f26f6c2ae07fda71adfb12405b139e7550d2d6d04f4f6
            • Opcode Fuzzy Hash: 2007a53033cd529413232225aafe525a2254d7a06d259cc7ce896cb95d30c35b
            • Instruction Fuzzy Hash: 1E511931A01229AFCB14DF69C844ABEFBF9FF88B94F484169DA01D7650DB70AD51CB90
            Function 030351ED Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: df6fa66d7e265be8c6e1f9134b6066ae17476ea138b5733ea02318d574f215d1
            • Instruction ID: 07ad8750e509bbeb92a3fd1b83578e63c3c8fc58e4a619a993bda850905bb626
            • Opcode Fuzzy Hash: df6fa66d7e265be8c6e1f9134b6066ae17476ea138b5733ea02318d574f215d1
            • Instruction Fuzzy Hash: F4518C75A07315DFEF25DAA9CC40BEEB3FCAB4B314F080459D811AB260D7B499408B66
            Function 030B5BF0 Relevance: .1, Instructions: 145COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5aaae413ae2be3243f13fa24e0915c59c9d3267489ae082c8b0f6e988d84897e
            • Instruction ID: 9c0e8d432d84784bd83f65e11587d6beb192c3e69859043b085adf06b4f742be
            • Opcode Fuzzy Hash: 5aaae413ae2be3243f13fa24e0915c59c9d3267489ae082c8b0f6e988d84897e
            • Instruction Fuzzy Hash: AE411935B43714AFCB25FFB89C526EDBAF6DF8A611B00057AE801EB285DB7489104791
            Function 0306F71F Relevance: .1, Instructions: 143COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 57c2441d7791dd08e2fa8d63cc257be97754684a91f010187da89bfa30d27165
            • Instruction ID: 807dfc933ee7ec175e65109d33048b2ae86490e8a876307822e96bee17889067
            • Opcode Fuzzy Hash: 57c2441d7791dd08e2fa8d63cc257be97754684a91f010187da89bfa30d27165
            • Instruction Fuzzy Hash: 184189B6D4622AABDF15DBA8D844AFFB7BCAF45650F0501A6E900EB200D634DE01D7E4
            Function 030601F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e8abe02e220e3858c9f5ac4b9c12578964ccebf77f273b2f738be9e058b96af
            • Instruction ID: 3a0951c397f56a1cc648280539e9763becc5a2d02df67149be3d7c90155b4ddd
            • Opcode Fuzzy Hash: 2e8abe02e220e3858c9f5ac4b9c12578964ccebf77f273b2f738be9e058b96af
            • Instruction Fuzzy Hash: 6D41D076E46219DBCB14DF98C440AEEF7B4BF88710F18816AE816FB244D7359D41CBA8
            Function 03072750 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction ID: 73dc831b93e6ac66a608c3fb956717fabbf357e593901425ada1db4d046adfb9
            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction Fuzzy Hash: 70515B75A01615DFCB54CF98C580AAEF7F6FF84710F2885A9E815A7790D730AE41CB90
            Function 030AD1C0 Relevance: .1, Instructions: 135COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction ID: 07be9f76110fd5e976bd7c50d606c54d9d992e0fb1719f5b96a6f714c795653f
            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction Fuzzy Hash: 25515771A01606DFCB58CFA8D4916AAFBF1FF58314B18856ED819A7705E334EA80CF90
            Function 03036154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 91075fad1418babf65d82a7062667a7888de493b0f21425c34239bed21c3268f
            • Instruction ID: 1969ff576f17a20507abac4cbef9ff10b2ba81d32c24572106ed012396b44350
            • Opcode Fuzzy Hash: 91075fad1418babf65d82a7062667a7888de493b0f21425c34239bed21c3268f
            • Instruction Fuzzy Hash: 93512A70A0661AEBDB65DB24CC44BE8BBF9FF46314F0842E5D425AB2C0D7799981CF40
            Function 0302B136 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0fc4c6ddb9df83486bd0add407fb5e7cc96e2b9ca3bde54ab7011dfaacd8e4d3
            • Instruction ID: 9fcfdba497cc36817d570be25c6268365bfa8636f7b8ecf89cd13727b3b3db03
            • Opcode Fuzzy Hash: 0fc4c6ddb9df83486bd0add407fb5e7cc96e2b9ca3bde54ab7011dfaacd8e4d3
            • Instruction Fuzzy Hash: BD41EDB5642311EFDB25EF68C840BAABBF8EF84784F048879E5519F290D770D954CBA0
            Function 030FF0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96b22c95e2311989dde50af90ec455e32910b5f68857afa60d852eaf97e5cacb
            • Instruction ID: 2b2b5e97b18e3aa7bac33bf970381e94d562e3cdafd6d4b3d0d4b77f446b9c2d
            • Opcode Fuzzy Hash: 96b22c95e2311989dde50af90ec455e32910b5f68857afa60d852eaf97e5cacb
            • Instruction Fuzzy Hash: E741E3712053419FC744CF25D86487ABBE1FFC8215F044A6DF9958B782C730D919CB61
            Function 030F866E Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction ID: e52db7e3d605be58bb3f3cab901f97052c58e669ff3832d0c0dfa9ea0be2fb8c
            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction Fuzzy Hash: 87418575B02319AFDB15DF99CC85AEFB7FAAFC4600F188069E604A7741D674DD018760
            Function 030DD5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c242847558f3c2214b72bb770826e77abea778b12e10e56519ca6ee9bbb3a004
            • Instruction ID: 9016052b993a4ed40fd6c7b32f228e2c39043b3e39733d0a16ab4409baab0082
            • Opcode Fuzzy Hash: c242847558f3c2214b72bb770826e77abea778b12e10e56519ca6ee9bbb3a004
            • Instruction Fuzzy Hash: F2410530A093959FCB14DF29C495ABAFBF1FF49300F09849AE4C58F245C735A456DBA0
            Function 0302A020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: f31769fb91cedb384b48170fe75f204bd44e1abc6fdca3bf49fba7e8d34f3405
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: 60412E31B02221DBDB60EF95C4907BEFBF2EB90764F19806BE9859B241DE359D40C790
            Function 03060710 Relevance: .1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction ID: 2a2eec1b17469b8e7cb77325072cc309a45cebf32b5e6a3d3acd54c26aa3d1cc
            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction Fuzzy Hash: 20413A75A46705EFDB24CF98C980AAAB7F8FF08700B10496DE596DB694D730EA44CF90
            Function 0303262C Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4e5bb72dd2d08bc60e33743373fecfd6440943176579d529cc95bc4b3f1be05
            • Instruction ID: 6fcaa916727850a3ba513a22b49acb45a5156c399c714e59bb201093d99acc07
            • Opcode Fuzzy Hash: d4e5bb72dd2d08bc60e33743373fecfd6440943176579d529cc95bc4b3f1be05
            • Instruction Fuzzy Hash: B341D174502714DFC725EF24D940BA9B7FDFF8A310F1489A9C4569B2A0EB309941CB51
            Function 030FFFB1 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68d557022b846daedb6256eb918b334c02fe773a831c5c2f9ea486956a06ce9b
            • Instruction ID: ee0f8a3486af9593090d9e3ec749bcd6596dbe485732ca03c122218574ef6637
            • Opcode Fuzzy Hash: 68d557022b846daedb6256eb918b334c02fe773a831c5c2f9ea486956a06ce9b
            • Instruction Fuzzy Hash: 06413831A042595BC744CB26C4A0AFEBFF1AF8D245F0DC1AAD8819B286D739C546C770
            Function 030B07C3 Relevance: .1, Instructions: 114COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b67581e8c4363aeb31b34174c7b174eedbc1a2c1f431a50a4b52f2c2d5c2e024
            • Instruction ID: a985dc79aee8d8b75131427bee405a1f08a48e10030e1b9f6183e8a6882f838a
            • Opcode Fuzzy Hash: b67581e8c4363aeb31b34174c7b174eedbc1a2c1f431a50a4b52f2c2d5c2e024
            • Instruction Fuzzy Hash: 23417F72509304AFD360DF29C845B9BBBE8FF88654F004A2AF598D7291D7709954CB92
            Function 030FFA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3f2bb34c426ffd157351b751a8667e7e6a764a1395c0fc257cb8d8946a335aff
            • Instruction ID: a7a8ea4a3ee69aca7bb42dcb134a097b76e2e44aa3269622aa53c480cd8aa303
            • Opcode Fuzzy Hash: 3f2bb34c426ffd157351b751a8667e7e6a764a1395c0fc257cb8d8946a335aff
            • Instruction Fuzzy Hash: B93159767021079FC718CF29CC44AA7BBD9EF88750F088674EA18CB684EB74D945C3A0
            Function 030FEEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3b4294f60b3270c9969e51cc187dcc3f281f41f4732c49d13662631f45d83e3e
            • Instruction ID: 0c509c9997b75db1be9e224f711ce13627f7db7b8b74f6866868d805ff1f9e29
            • Opcode Fuzzy Hash: 3b4294f60b3270c9969e51cc187dcc3f281f41f4732c49d13662631f45d83e3e
            • Instruction Fuzzy Hash: 7E41B133E0002A9BCB18CF68D49197AF3F1FB8830476642BDD905AB294DB74AD45CB90
            Function 030FFB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 127efca0d5eaef5860ffdb9f69d70cec2968c0135c04908ac2510ce7f924efc3
            • Instruction ID: 8e16aba248f80b3b4ebf2b6f4e8700d38d603dae267a01fac847064ad91ad38d
            • Opcode Fuzzy Hash: 127efca0d5eaef5860ffdb9f69d70cec2968c0135c04908ac2510ce7f924efc3
            • Instruction Fuzzy Hash: 0D31F476612116BFD714DF29CD44AABBBE9EF8C350F448428FA08CF640DA74E941CBA0
            Function 0040E1F3 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: 449cbb033e18bc5494fa5d8299c778f24dcbc03eaae3a15f81fb9c39cbc74c19
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: 4C3193116586F10DD30E836D08BD675AEC18E5720174EC2FEDADA6F2F3C0888418D3A5
            Function 030402E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: 5e654b9b3fcfc58c37cf0c6dea44cfc90170e80c3d26ac9ac8203c797e756fba
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: DE3106B2A06244AFDB21DB68CC40BDEFFECEF44350F0885B6E455EB251D2749944CB94
            Function 03059274 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1152259f03506ea186f4eb10cb50e36ddec716f3aa76f15a83d13836f037acde
            • Instruction ID: 1fcdeaa9148b9a2db13f5bf59172f162cd01927ecb92e7c625ff490f08fc5e56
            • Opcode Fuzzy Hash: 1152259f03506ea186f4eb10cb50e36ddec716f3aa76f15a83d13836f037acde
            • Instruction Fuzzy Hash: 3B317275A02328EFDB25DB64CC40B9BB7B9EF85710F1501A9B94CAB280DB319E44CB95
            Function 03035702 Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4536a3f0a1c7950229e242b0af6a94ac94dfda00ebf6991580ff1830ecac1422
            • Instruction ID: bf47b0d9b2ba48f0cfeabc7f46e1141c354d202f4a21abf0a5085aec129bfbf8
            • Opcode Fuzzy Hash: 4536a3f0a1c7950229e242b0af6a94ac94dfda00ebf6991580ff1830ecac1422
            • Instruction Fuzzy Hash: 8D31C039202A06FFDB55DB24DD80A9AF7A9BF86754F0414A5E84147A60D770E820DBD0
            Function 03034260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 01c7c3dfe5fcfcbaddf6138397d5c18799fe8dc84a297f8b07a851d43f478098
            • Instruction ID: 64c14b4e7857e5ab0041de2ab8c35a0c6bb5b51ae5b414a7d519670d78ad1b8f
            • Opcode Fuzzy Hash: 01c7c3dfe5fcfcbaddf6138397d5c18799fe8dc84a297f8b07a851d43f478098
            • Instruction Fuzzy Hash: AE41C075202B44DFDB66CF25C981FDAB7E9EF4A314F05882AE5998F290C774E840DB90
            Function 030550E4 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction ID: 6a7a52663bb0aaf80441f9fd583e8cb0aacb4910a9db9cda983c3dea0eb279a1
            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction Fuzzy Hash: 3131F73170A3419BDB61DA2CCC0076BFBD9AB86754F0D856AFC868B380D674D841C796
            Function 030F61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6ab6f947b4923701c0f11b714fd135c6bdcf04d179f03dc07ccf7b32cb0ba870
            • Instruction ID: 593ccf3af3fa0cc4a8284655b7c4ba6d6ccbb999713ef25fc235d2887fa045b1
            • Opcode Fuzzy Hash: 6ab6f947b4923701c0f11b714fd135c6bdcf04d179f03dc07ccf7b32cb0ba870
            • Instruction Fuzzy Hash: 0431D276A01619EFDB55DF98CC80BAEB3B5FB48740F454169E500AB244D775ED00CBA4
            Function 030F6BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 45f86e836843b74d4e5a64218d102bd2df1d81a88229a8c85f881447e1c262c7
            • Instruction ID: 874ccb6d19c6e84cad3405899e0ef59ba95531793f52e5fcec97f28a55d7ec48
            • Opcode Fuzzy Hash: 45f86e836843b74d4e5a64218d102bd2df1d81a88229a8c85f881447e1c262c7
            • Instruction Fuzzy Hash: 2231AE31601214AFCB68CF2AD885A9B7BF4FF8D300B858469E908DF249D770E955CBA4
            Function 030F60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24c0c19de911c708ae4b51b1b0ea3cb7ac38167a03d2a25e425e1cbc453e3c7b
            • Instruction ID: 3054e5c09ed0fd1aa4f8dc233f21146edf60c3c0650f119bee6ec1722ae05e52
            • Opcode Fuzzy Hash: 24c0c19de911c708ae4b51b1b0ea3cb7ac38167a03d2a25e425e1cbc453e3c7b
            • Instruction Fuzzy Hash: 0031E475702219AFD712EB99CC50BAFBBB9AB88310F0804A9E641DB741DB31DD008790
            Function 030307AF Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19bab2097c97a00256d6dd192015c78b35720630dd7953d90170ac2e91d5b4b2
            • Instruction ID: 63abef34e950551258f7043de9e9cdcb4de21b9848ec236cee000da55e72d692
            • Opcode Fuzzy Hash: 19bab2097c97a00256d6dd192015c78b35720630dd7953d90170ac2e91d5b4b2
            • Instruction Fuzzy Hash: 7031C436A07711DBC711EF24C880AAFBBE9EFC6650F054929FC969B210DA30DC1187D1
            Function 0302D6AA Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction ID: 11726bf1a7233865e8d375c0c87c8b277d4cc6cc68b489c46df35e8d5b0f77e4
            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction Fuzzy Hash: F631E376A02A24AFDB61DE54C884B6FBBF9DB84710F1D8469ED659B200E338DD40CB50
            Function 0042ED83 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c8f87b7f006b1d8b0538ad710463dcb5b91f1b0d37d44c62599d5ed22c55d120
            • Instruction ID: 02666cb92a6a0255eadff15ccb448de357b998be517c71c70f61df0405b196e7
            • Opcode Fuzzy Hash: c8f87b7f006b1d8b0538ad710463dcb5b91f1b0d37d44c62599d5ed22c55d120
            • Instruction Fuzzy Hash: F231E372B106265BD354CE3AD880656F7E1FB88350B54873AD918C3B80E774F961CBD4
            Function 030357C0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d9ecf6d7adef816f1a045e2ed1dc536f41ed485d1b674cdb88e23cf22aba365
            • Instruction ID: ddc654e2f8a940687f7c9317e231e0194b3676ca6ae8daee16f4389678113ab1
            • Opcode Fuzzy Hash: 9d9ecf6d7adef816f1a045e2ed1dc536f41ed485d1b674cdb88e23cf22aba365
            • Instruction Fuzzy Hash: D131B439716A05FFDB51DB24DE40AAABBAAFF86310F4450A5E9418BB50D731E831CBC0
            Function 0306A6C7 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction ID: bea268b4da2ff6808365f0cacc37890b3b90fe435da2d18d1512c27e577e127b
            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction Fuzzy Hash: CA314DB2B02B00AFD7A4DF69DD41B57B7F8BF48B50F08492DA59AD3650E630E900CB64
            Function 004031C0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1669854132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 927c130d5b78b3f57ddfb031e9c971aa3cebb46ba5355814f99ba86216a0421c
            • Instruction ID: 583ad629750762b5c366185a1c3f0ed5bfa97c64a47d18887e6c4106169a741c
            • Opcode Fuzzy Hash: 927c130d5b78b3f57ddfb031e9c971aa3cebb46ba5355814f99ba86216a0421c
            • Instruction Fuzzy Hash: 1B319F72A14A148FD378CE6DD841253B7E9AB8C340B418B3EE85AD7790DB78F9058BC4
            Function 0305438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 87f72ef774d4f7b6311402db5d308f2aa5731646fe65599d45f7b467d469b0c9
            • Instruction ID: 32aa3477d0a7b09df37afed094b54034c39632da59220bb9568ed64fe4b0e349
            • Opcode Fuzzy Hash: 87f72ef774d4f7b6311402db5d308f2aa5731646fe65599d45f7b467d469b0c9
            • Instruction Fuzzy Hash: 0C31C435B02305DFDB24EFA9C980AEFB7F9AB84305F00852AE845D7654D770E985CB50
            Function 030392C5 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction ID: 3d86f54cd9de2480fa82d32f94e2d54de0f6d27ffcc61203dd0ad7be95baf727
            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction Fuzzy Hash: E7317AB56093499FCB01DF18D840A9ABBEDEF89350F0409AAF851DB3A1D731DD14CBA6
            Function 03087190 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction ID: 654c76af874d933027aafba0687694d36151155b05d3c4e4c0af1e245052029e
            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction Fuzzy Hash: BF318C75605206CFCB50CF1CC48095AFBF5FF89750B2985A9E9989B319EB30ED06CB91
            Function 030EC3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: 9a5c0d7cb1988164fde006898ec4cd37e00f22726895a9a0d5b673a02663202b
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: 86210B7FB01755AEDB15EBA58800AFAF7B4EFC0610F44801AFD668A951E636DD50C360
            Function 0302C156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 61ebef1b89f6bf485a3f14b0958b4d3af3f481d1fe4fb7c24e98692fbf9c62f9
            • Instruction ID: 421b745d99e3910b9ce31b2ea94b96d3e2a02dd2992cb8a9c24a7f2c1648c28c
            • Opcode Fuzzy Hash: 61ebef1b89f6bf485a3f14b0958b4d3af3f481d1fe4fb7c24e98692fbf9c62f9
            • Instruction Fuzzy Hash: 593129B55023109BC734FF14CC41BA9B7B9EF85314F5886A9D8859F3C1EA74D981CBA0
            Function 0302E388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: 8ebde2ef9132d073f6380ed81d977151cd57ce1e74cbaec4cf39cab1379c7223
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: CB31AB35602614EFD721DF68C884FAABBF8EF84354F1449A9E552CB690E730EE02CB50
            Function 031003E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2856596b027ced11c2f690eed7cdeff71e39939f7200d59cd8518c4e88bdc971
            • Instruction ID: 295f7eff6a4835c802fcbd1bf00e8ba7ac78a46b41ec66b0b950ea80716c75ee
            • Opcode Fuzzy Hash: 2856596b027ced11c2f690eed7cdeff71e39939f7200d59cd8518c4e88bdc971
            • Instruction Fuzzy Hash: AC316F71A00119BFCB18DBA9D894F9FBBB9FB8C214F414169E905E7240DB70AE54CBA4
            Function 030AE609 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1cb09afe1a1b1815ecebd9795e364b775d46873a9c993a0ec47c3bb2a5d33e5a
            • Instruction ID: 86324a0b044b6b811a0e28f47e7dd862031e15aa6b762f4ac313282b98a48aef
            • Opcode Fuzzy Hash: 1cb09afe1a1b1815ecebd9795e364b775d46873a9c993a0ec47c3bb2a5d33e5a
            • Instruction Fuzzy Hash: EC31DF79A01605DFCB18CF5CD880DAEB7FAFF88344B158959E8099B390E770EA51CB90
            Function 03033616 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 35193c582fe3f4fea5624c647aea60a47c6e85479bd46bc79d796a8a27164de7
            • Instruction ID: 0627f540bd1d70abe1efa6ffc27a76fabbfd64fa9a8a1ea78d45cc7976ad9ffb
            • Opcode Fuzzy Hash: 35193c582fe3f4fea5624c647aea60a47c6e85479bd46bc79d796a8a27164de7
            • Instruction Fuzzy Hash: 1821F5792477509FCBB5EF04C984B6ABBECFF86B11F0948A9E8410B651C7B0E944CB91
            Function 03100591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f21075410e4919aae2155646265a615941c44f1bd8e4dc540d3294873880c75
            • Instruction ID: b92fe74913598f7a53bf29bb6555e7fb13a96df1cb097a0d6e95ce18e2353dc1
            • Opcode Fuzzy Hash: 8f21075410e4919aae2155646265a615941c44f1bd8e4dc540d3294873880c75
            • Instruction Fuzzy Hash: 1621E5326146058FD728CE29D880BBAB7A6EFDC310F598478E905DB2C5DBB0F895CB50
            Function 0305F32A Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction ID: 0a1dea9465ce8864b6d550dc3ebfb02bc0a3f0bdf80a5f891d9afb40d0460b7e
            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction Fuzzy Hash: 0821CF72202301DFD719DF15C445B6BBBE9EF95361F15816DE90A8B2A0EB74E801CB98
            Function 030B019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 92a4a247c90dcb9693e3dd0f129f1bd3374327a23a8f5b341c4b3c384ebcc144
            • Instruction ID: 78f64821886727aa8e815a70c059e80fd7aa3ea974b08d897fce63cfc7f189c3
            • Opcode Fuzzy Hash: 92a4a247c90dcb9693e3dd0f129f1bd3374327a23a8f5b341c4b3c384ebcc144
            • Instruction Fuzzy Hash: 76218B75601644ABD715DB68D840BAAB7B8FF88740F1840A9F944DB6A0D734ED50CBA8
            Function 03069660 Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 713c4fad81a0219601ffd5f3d90cda358383f0ed03f26864fe7d36266d400084
            • Instruction ID: 9cbb031a5534cba5b18e1e98903a7f8b34482d2bd18b70e60a096e10467782db
            • Opcode Fuzzy Hash: 713c4fad81a0219601ffd5f3d90cda358383f0ed03f26864fe7d36266d400084
            • Instruction Fuzzy Hash: BF212930203B04DBCB31EA25DD00B2B77E9FB84324F144A59F8924ADE8D731A851CB51
            Function 030B0283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 122969d6e4939a00436cf1cc410e5bbdee751f6264a89a4c4d13623a35eef5ab
            • Instruction ID: a2bf61b393c1ec68e731f69f41cf78f08cb3151541d267b8ee2d1bf16f7cd888
            • Opcode Fuzzy Hash: 122969d6e4939a00436cf1cc410e5bbdee751f6264a89a4c4d13623a35eef5ab
            • Instruction Fuzzy Hash: 2221AFB29063459BD711EF69D848BDBF7ECBFD1640F0844A6BC808B251D734DA48C6A6
            Function 030D71F9 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 91ac4d4c7cd168c4d478fe0c4949de46a18cbe292aad361730ff06c925cc4388
            • Instruction ID: 41c95e6120ae853e955080c000f00f6409caeb9185e5e2fa05bac9050c75834a
            • Opcode Fuzzy Hash: 91ac4d4c7cd168c4d478fe0c4949de46a18cbe292aad361730ff06c925cc4388
            • Instruction Fuzzy Hash: A3210031A067908BC321EE698840B7FB7EDEFC5A24F18492DF8A697140CB60A9858791
            Function 030AD0C0 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction ID: 526f690c6642df4c4f636f2d97738e3ad114a897d53e73cd83920306d3fc677a
            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction Fuzzy Hash: 5E21F272646B00ABC321DF1CDC51B9BBBA4FB88720F04062EF9449B7A0D330D90197A9
            Function 031001AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b34864b3dd223f9e0beca113e43e3b5a9e19687c8b3961a80240c725c9f0299b
            • Instruction ID: 6f726c5fef73e4290327acf3776d5593e09788ca442ba5ac88d354d054a3fd28
            • Opcode Fuzzy Hash: b34864b3dd223f9e0beca113e43e3b5a9e19687c8b3961a80240c725c9f0299b
            • Instruction Fuzzy Hash: FF21E4712042504FD745CB1A88B44F6BFE5EFCA125F0982F6D884CB742C134D907C7A0
            Function 0306A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b17e7309cb1eaad2f59892ffc4af6796b2c3a57f5d603077ae05d218d7a6ccba
            • Instruction ID: 4cf42f738af6879a0f23d9850d43ab8d25e287b281a8452066a64865028382ab
            • Opcode Fuzzy Hash: b17e7309cb1eaad2f59892ffc4af6796b2c3a57f5d603077ae05d218d7a6ccba
            • Instruction Fuzzy Hash: AE21AC79202B10DFC724EF69CD00B46B7F5AF88704F1884A8A909DB761E331E952CB98
            Function 0302B765 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 8ee50c55c926b7f53c415d2268a51a1ad08f1996a385dad8d9226efb8eecbdb0
            • Instruction ID: f416364cd8840d5343d22617847cd772ae58b0f7131e0b515aa8684b32df7522
            • Opcode Fuzzy Hash: 8ee50c55c926b7f53c415d2268a51a1ad08f1996a385dad8d9226efb8eecbdb0
            • Instruction Fuzzy Hash: C7217A76102B10DFC725EF68C940F99BBF9FF58708F18496CE00A9BAA1C774A950CB44
            Function 030FEE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21a0b68b5e40eee0571c320ec824d0ffefbb4db8e53c8b0ff0b086a4d8da16d2
            • Instruction ID: 3e7f8089fa0f9f302cfadce8b37b9a7b9496957b86601869f3b9bc2de94843b4
            • Opcode Fuzzy Hash: 21a0b68b5e40eee0571c320ec824d0ffefbb4db8e53c8b0ff0b086a4d8da16d2
            • Instruction Fuzzy Hash: A921B433A10421AF9B18CF3DD80456AF7E6EFDC31436A427AD512DB668DB70BD11CA84
            Function 03060124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: 4b0b3791468af8a180d8e13a216d8624adfebac6435826877a714bf3cdbdc628
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: 9E11EF76A82704BFE722DF89CC40FAABBB8EB80754F140429E6008F180D675EE44CB60
            Function 03038770 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5184b5d495308a4dadef47e67f61bf38ef104018230a582d0dd2106287779e81
            • Instruction ID: da78e518f7e14074ca8a1829f1594efb4e0c900bfed3e01fd19e6bba1c016ca8
            • Opcode Fuzzy Hash: 5184b5d495308a4dadef47e67f61bf38ef104018230a582d0dd2106287779e81
            • Instruction Fuzzy Hash: 24116D356026219BCB55CF59C580A6BB7EEAF8B750B1880E9FD089F205D6B2E9058790
            Function 03033720 Relevance: .1, Instructions: 67COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5e249e316e96f7a345ff852855050da9c20107974e3557f5e26b98e273052525
            • Instruction ID: ad8b9c756555d8c1994d906540138fc2018cc9ab92a267c1670b097503d64f22
            • Opcode Fuzzy Hash: 5e249e316e96f7a345ff852855050da9c20107974e3557f5e26b98e273052525
            • Instruction Fuzzy Hash: 00210A789022088BE725DF5DC4887EEB7FCFB89318F2D8058C811572D0CBB89885CB54
            Function 030380E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff90652e6054c4ea495c558746886918e73b3fef66b875867346a31cf79ee961
            • Instruction ID: fd1fded8b612ed6b46de0219844a684c9f30b42384384e087585b2819ee10782
            • Opcode Fuzzy Hash: ff90652e6054c4ea495c558746886918e73b3fef66b875867346a31cf79ee961
            • Instruction Fuzzy Hash: F7216F75A01205DFCB14CF98C591AAEBBF9FB89314F2481ADE105AB350C771AD0ACBD0
            Function 0306674D Relevance: .1, Instructions: 65COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 10edac663f3dfcec6421d01470777bc781c8e77e81c5dc7dfadb5b534df3711f
            • Instruction ID: f4da7bf33713c5915560416f773366c78363cdaf2b2aa111e1c2669579cdd021
            • Opcode Fuzzy Hash: 10edac663f3dfcec6421d01470777bc781c8e77e81c5dc7dfadb5b534df3711f
            • Instruction Fuzzy Hash: 22215C75612B04EFC764DFA9C881B6AB3E8FF84250F44882DE49AC7650DB71AD50CBA4
            Function 03029240 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cbc973683d85d8b24cb9ec0b8bb2cb7866099d62d1753199be71d42f3c826904
            • Instruction ID: 937c83a3b2f2fafb8e9a443aff32659f16686b89a6faffda636ada82c66ab5e6
            • Opcode Fuzzy Hash: cbc973683d85d8b24cb9ec0b8bb2cb7866099d62d1753199be71d42f3c826904
            • Instruction Fuzzy Hash: A911E27E011240FAD738EF56D901A627BE8EBACB80F144425E8109B298E378DDA1CB74
            Function 030666B0 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 53b6540808157680b02bd557cb63161f2db94d34e102e9042d9799cdb17f04a7
            • Instruction ID: 0963d2eab417d0a81ab0ed7096db279fce5394d5e249b4dfca2a11bce162cbe7
            • Opcode Fuzzy Hash: 53b6540808157680b02bd557cb63161f2db94d34e102e9042d9799cdb17f04a7
            • Instruction Fuzzy Hash: 5011E3B6A02248EFCB24DF59D580A5BFBF8EF98610F094079E8059B318D670DE00CBA0
            Function 030FFF09 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19d7904b1dc5861446fae25c4487ae2c93e6ed664b00e70be5c215bca7f0d774
            • Instruction ID: 3487f7b0c6ac162811f6cf85bc3655cfa0214f893cce56fee98d89b62e389fad
            • Opcode Fuzzy Hash: 19d7904b1dc5861446fae25c4487ae2c93e6ed664b00e70be5c215bca7f0d774
            • Instruction Fuzzy Hash: F3218671A102159FD754DF29E884B42BBE4FB4C210B8585BAE90CCF24AE770D894CF90
            Function 030527ED Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 327193bb9ca5a2c51a16373351229c2c113fa28fbeeef7db2aa33024c12ea8dc
            • Instruction ID: 9a87d0f609a832b2ae5cd98fba360862a033945861223407b77c4eeb7556061e
            • Opcode Fuzzy Hash: 327193bb9ca5a2c51a16373351229c2c113fa28fbeeef7db2aa33024c12ea8dc
            • Instruction Fuzzy Hash: 4301C479707644ABE716E2A9D844F6BA6DCEF81354F0D08B5F9018B650DA14DC00C2A1
            Function 0305B052 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a72b47d3998f7e941f31f8921d0938ad3151e831cbff68dfa1b438d763309184
            • Instruction ID: b570994b4f920243b8fb89a718e143d1790989fec61e2c8c1696c61a94ecbcb9
            • Opcode Fuzzy Hash: a72b47d3998f7e941f31f8921d0938ad3151e831cbff68dfa1b438d763309184
            • Instruction Fuzzy Hash: 90019676B05740ABD711EB699C85FAFBAE8EFC4614F040429FA05D7141EB70FD018661
            Function 03034690 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8513b4dce1bcbe8a4cc1def8689e9ea4f26167a91ec86bf9632b423709dd9159
            • Instruction ID: 18a63578a889a82a844d5f43d41e627923e40c1790a3dc047c55ec5b95ee301b
            • Opcode Fuzzy Hash: 8513b4dce1bcbe8a4cc1def8689e9ea4f26167a91ec86bf9632b423709dd9159
            • Instruction Fuzzy Hash: 06119E7A242644AFDB25CF5AD940B57B7ACEB8A764F044519F8148F290C770E840CF60
            Function 03066620 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b3bf421d074507cf9511b8dcb165749659c686bb75508b3753a0257ca469c3c4
            • Instruction ID: 4c6963ea487f32e4fc0dc7592ae91bae2a5a905bb2430ede6d3250c3bf633835
            • Opcode Fuzzy Hash: b3bf421d074507cf9511b8dcb165749659c686bb75508b3753a0257ca469c3c4
            • Instruction Fuzzy Hash: 2311E576A02719ABCB21EF59DDC0B9EF7F8EF88750F540054E901BB204D731AD118BA0
            Function 03027330 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f8f267bd81b3de51e51e2062f69f0ea37f98b89023ac7ea5254f4fc09f28d53
            • Instruction ID: c912309a79348d86f20792e0448e3e26ecc79f485c3b1197893618fe1c0c1a79
            • Opcode Fuzzy Hash: 8f8f267bd81b3de51e51e2062f69f0ea37f98b89023ac7ea5254f4fc09f28d53
            • Instruction Fuzzy Hash: 7C11A071602724AFD722CF65C841FAB7BE8EB48704F05882AE985DB211D775EC00CBA9
            Function 0305F2D0 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f0addcad51a69f1884fbb1a5f4da41b40fdb549a59381883abfb3dce620ab3ec
            • Instruction ID: 295742da840a4124a40254fea44af7c5b164ff71ecf4b05aef60be65b89df883
            • Opcode Fuzzy Hash: f0addcad51a69f1884fbb1a5f4da41b40fdb549a59381883abfb3dce620ab3ec
            • Instruction Fuzzy Hash: 0311A075A02748DBD720DF69D844FAEB7E8AB84600F1804B6E901AB241DA79D901C754
            Function 030C72A0 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction ID: 83c9e1b44a5e2a9ff21707f763256f1aa39ef255c0daf061f27118f63004e66c
            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction Fuzzy Hash: 9301F57A241649BFD711EF16CC80FA6F77DFF84790B044929F10046560C731ACA0CBA8
            Function 0302A250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: 054db0248a208655784d26a7241a94736b84c7cc223e1c5b669ca10d6e02b8dd
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: 1401C4716067219BCB60CF199840A6ABFE9EB45770705896EF8958B680DF31D424CB60
            Function 03036259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: daa9f8a4488dacec37688c6f526859780ee182c4e5544f80d5e3e8474e8385b3
            • Instruction ID: 410da1cf778332dc86dbe17bf8b21e91a51ed2f8390aac0fb043ab3ac86aa37e
            • Opcode Fuzzy Hash: daa9f8a4488dacec37688c6f526859780ee182c4e5544f80d5e3e8474e8385b3
            • Instruction Fuzzy Hash: 8B11707494231CABEB65EB64CC41FE9B3B8EF44710F5445D4A314AA0E0DB709E91CF88
            Function 030AE1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 89fac5f0b3270e624c9c0dc1a682ee08d46e4eaceb21f063352057488b4e08c6
            • Instruction ID: 45deb94216d6d8f67523de8d44374bc94e3389a49a23443de88adbcd48869866
            • Opcode Fuzzy Hash: 89fac5f0b3270e624c9c0dc1a682ee08d46e4eaceb21f063352057488b4e08c6
            • Instruction Fuzzy Hash: AD117C36642740EFCB15EF58D980F56B7B8FF88B44F140465E9059B6A1C235ED01CB90
            Function 0303208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: efd3fde560122d74e0a51f5df4dc0d2653bd1547caaaba6a24843c0f995c00be
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: 640128362022118BDF50EA69D880BD6B7AEBFC5700F1949E5ED418F246DA71C881C790
            Function 0302C020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: d18bf6aae7df46ebd52950cb0e86ea7a633a50379ed424e849cf9b3caa8e944a
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 14014C361027459FEB32E766D840FABB7EDFFC4650F08491AE9868B580DE70E501CB50
            Function 030720F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b76cbf18cc43292c11e9fed5587ea0c1831859a84dff278772e3ffe37aae49af
            • Instruction ID: 313667678cca31e702403cf3c913a6aa8291c300415be95752419fd09d03ab56
            • Opcode Fuzzy Hash: b76cbf18cc43292c11e9fed5587ea0c1831859a84dff278772e3ffe37aae49af
            • Instruction Fuzzy Hash: 8A116D75A0224CEBDB05EFA8D850EAE7BB9FB84340F004499E9019B290D635EE11CB94
            Function 03029353 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction ID: beb056fd8133c3710044a84ee9479965b54abd8f40c4ad2fa0eea2249f72f1a4
            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction Fuzzy Hash: 55118B72902B219FD721DF15C880F62BBE8BF80762F19886CE4894A5A5C374E890CB14
            Function 030533A5 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction ID: 5a614c932e2a5ba6d15a5e13a817fac9177fec7e32cab21dc4bfffc5e4eddeb0
            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction Fuzzy Hash: D101F93A702205A7CB1ADB9BCC04F9FBBAC9FC4681B150469BE05DF520EA30ED01CB60
            Function 0306D1D0 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction ID: 4278b125deebb14b14473b7d9268517a1ef2ca016efe14c29ba76e0d15362cb6
            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction Fuzzy Hash: 450147BAB036059BD710DA54E800FA9B3E9EFD8720F148155FE128F284CB74DA00C780
            Function 0302826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 549a734c7aca339a026f4081d4679a061ad7c8079113ae7c34a8ef9970fd533a
            • Instruction ID: afb371eb0c483e684b0f88dca3d4ff50428a683ee1becaaf0a8176b489b36383
            • Opcode Fuzzy Hash: 549a734c7aca339a026f4081d4679a061ad7c8079113ae7c34a8ef9970fd533a
            • Instruction Fuzzy Hash: E901AC39702614DBC71CEB65DC10AEEBBF9EF84510F198029D901AB640EE70DD05C7A5
            Function 0304E016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: 6d5e3b6d65873a0889f05e848c35bdd7f581137b2a07bb5637e70c09f8125d5b
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: BF015AB22026809FD322E71DC948F7AB7ECEB85750F0D04B1E955CB691D768DD80C625
            Function 030EF367 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f65fed2f06e1a63e60f82972e098ba952d3b76e4e562d3ba0f114ba083771ef
            • Instruction ID: cce3d9ca05a610e52f8196f7565e8fa3fea90423496ef77c3d6bd6c6fc65d466
            • Opcode Fuzzy Hash: 7f65fed2f06e1a63e60f82972e098ba952d3b76e4e562d3ba0f114ba083771ef
            • Instruction Fuzzy Hash: 82018F75A11358EFDB14EFA9D815FAFBBB8EF84700F044066B500EB280D6B4DA00C7A8
            Function 030F972B Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
            Function 03105636 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3f0a07a01ed6f2d7d99bf6e1d84ac48da0e4b69f9ef7478c789d606e0e5f5c41
            • Instruction ID: bef3b80f99b5745d20919d0a6311916528ae987fc7e86f188dff497a8fcc793c
            • Opcode Fuzzy Hash: 3f0a07a01ed6f2d7d99bf6e1d84ac48da0e4b69f9ef7478c789d606e0e5f5c41
            • Instruction Fuzzy Hash: 0A116D78D10249EBCB04DFA9D440ADEB7B4EF18304F14809AA814EB380D774DA02CBA5
            Function 0302C310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: 59f4ff0c9f87ed07675c224ba35591f70f115df5f730eb3a04e489f97b7c37c4
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: F3F0FC772477329BE732D6594880FAFAD958FC5AA4F190435E1099F604CA648C0157D4
            Function 03105152 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 38e117c8b530e82117f4987c984bd94544664864e2d7230baedf19b70cc292e9
            • Instruction ID: d6c0e7f0b9dea28ab1b149a3fb95b25b21c49b6150f33d75aed464b39c0341ca
            • Opcode Fuzzy Hash: 38e117c8b530e82117f4987c984bd94544664864e2d7230baedf19b70cc292e9
            • Instruction Fuzzy Hash: 89012175A11209ABDB04DF69D9519DEB7F8FF8D300F14405AE500E7380D774AA018BA5
            Function 03105060 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cb343b8e482b53be4fd76cce855125b7be222d3f14adb317818f36b703beab5d
            • Instruction ID: d11ce9aef681b487fb21c051a4f5b55fb964ea0c90cdddbd86d2362eb5c5706f
            • Opcode Fuzzy Hash: cb343b8e482b53be4fd76cce855125b7be222d3f14adb317818f36b703beab5d
            • Instruction Fuzzy Hash: CA012CB5A11309ABDB04DFA9D9419EEB7B8EF89300F10405AF901EB381D774AA018BA5
            Function 0305C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: cc43cb3154f71d1e6f2bdd7ff1398e9460c478ce5eda78982ca718238d443fc4
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: C8F0C2B3A01610ABD324CF4DDC40E57F7EAEBC4A80F088128A905CB220EA31DD04CB90
            Function 031050D9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bb6d4db433b1646cf384fcda26c9526588ebec4e0a0c5db84052eefd00053e88
            • Instruction ID: 10f9d5e46b2e529df68282ae1722b260dfc24bf6cf3579c92d99a7e682bd27fe
            • Opcode Fuzzy Hash: bb6d4db433b1646cf384fcda26c9526588ebec4e0a0c5db84052eefd00053e88
            • Instruction Fuzzy Hash: 9E012CB5A01309ABDB04DFA9E9419EEB7B8EF49340F50405AE500FB380D774AA018BA5
            Function 03065734 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction ID: adfb5b3588a932879a5cec8b155840dd868c75d37ec735336d5c56fddd72899e
            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction Fuzzy Hash: 1AF0FF72A02214AFE319CF5CDC40F6AF7EDEB4A650F094079D500DB230E671DE04CA94
            Function 030EF78A Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1dfff5c3646b02d5b824c4f9af3549c17a62768717113e0ef1d9ab56a7dad6e2
            • Instruction ID: 3d53f4ee16486f500ccff573bf0823ecb3e84c629b35dfbcae7ebf0cb6d6b5d2
            • Opcode Fuzzy Hash: 1dfff5c3646b02d5b824c4f9af3549c17a62768717113e0ef1d9ab56a7dad6e2
            • Instruction Fuzzy Hash: 230140B4E0130AAFCB44DFA9D441A9EB7F4EF48300F008069A845EB340E674DA00DB91
            Function 030EF2F8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b5e76bcc7f9e567c4c1d274ef0f6e1f3fa44316211ce0b756f0bda725499a3a2
            • Instruction ID: 263e8da1ad9592bd64b271e8a57b8d3b919d9440666ffdbbf90b9a2bed824518
            • Opcode Fuzzy Hash: b5e76bcc7f9e567c4c1d274ef0f6e1f3fa44316211ce0b756f0bda725499a3a2
            • Instruction Fuzzy Hash: 1FF0C876F11348AFDB04DFB9D805AEEB7B8EF44710F0080A6E511EB280DA74DA0187A5
            Function 031061E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8b252175d8b0a144cf94d033a5b3513a91e8cdd30245a9426e9cf214a076f25e
            • Instruction ID: 42a0ca6909936b9e4308f5317bbb871f7f0f7d983928843e4c974124cecec4e4
            • Opcode Fuzzy Hash: 8b252175d8b0a144cf94d033a5b3513a91e8cdd30245a9426e9cf214a076f25e
            • Instruction Fuzzy Hash: BA018F71E01258EBDB04DFA9D841AEEB7F8EF48310F14405AE500AB280D774EA01CBA9
            Function 0306724D Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction ID: f7d93b6cb25a0c21da6287b38fcba62b72b74eb5f97eed6bf81ab97da0e55fe6
            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction Fuzzy Hash: C1F0F675A033566BEB60D7AA8940FEFB7E89FC4B14F088595B902DB148DA30E940C750
            Function 031053FC Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abf1a6737236f807052f57ecb8dffb4c52b7f17a61743ba99d49db3a05657017
            • Instruction ID: cb40c2433f81f9b1ea582ccec128afc7f8f9e9b5fb44bb6609a7e960a14c6cfb
            • Opcode Fuzzy Hash: abf1a6737236f807052f57ecb8dffb4c52b7f17a61743ba99d49db3a05657017
            • Instruction Fuzzy Hash: 65015E74E01209DFDB08DFA9D441B9EF7F4FF08300F0482A5A519EB381E6749A408B91
            Function 0302C0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3980b5c9bd7f5ea0dac0c3fce4e2e332af85e5cd3c5196c59d29ca91d3260367
            • Instruction ID: a6341fcffd916a589a82075829e1d3ab5a58711b5c8b228f5057f2aa74090240
            • Opcode Fuzzy Hash: 3980b5c9bd7f5ea0dac0c3fce4e2e332af85e5cd3c5196c59d29ca91d3260367
            • Instruction Fuzzy Hash: 6DF02B712063645FF350D65DDC02B6636D9DBC1651F298066EB098F2C0EAB5DC018394
            Function 03103749 Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction ID: bdc0c085d894e4de6cd8d349b1d432cb67bc62d3f9c9c8f0350121f124ed0b42
            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction Fuzzy Hash: 2DF04FBA940304BFE711EBA4CD41FDA77FCEB44710F100566AA26DA1D0EAB0AA44CB94
            Function 030D437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: d40c4dbb6c2f65014946735eb2fdf96e0288a635e3d26035281a78ca9f1d457a
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: EFF05435743B1247D7B5EA6F9850B6FE2D59FC0950B49052C9455DBA40DF70D8018794
            Function 030EF3E6 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e3ff0c63bda8ed1a1212ffb4d86cd5dafc584107f2ffda99cb2c8bb7b8136cc
            • Instruction ID: e6a838d9a1bf72f0bd787e50e33c07b57496000ecd1cd2efc69eba3c31245e8a
            • Opcode Fuzzy Hash: 0e3ff0c63bda8ed1a1212ffb4d86cd5dafc584107f2ffda99cb2c8bb7b8136cc
            • Instruction Fuzzy Hash: 0CF0A9B5E02308EFCB04EFA9D505A9EB7F4EF48300F4080A9B945EB381E674EA00CB54
            Function 030292FF Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 047bccebddf8e2629fda389614bc16f36046766dca3a06c01e05deff0b429347
            • Instruction ID: e36dbbadf5050acc0c97133b4cab1a7d2c92c134a9d33d1f6ff25d08443cd6f5
            • Opcode Fuzzy Hash: 047bccebddf8e2629fda389614bc16f36046766dca3a06c01e05deff0b429347
            • Instruction Fuzzy Hash: 67F0FA32200344ABC731EB09CC04F9ABBEDEFC8B10F080169A94283090C7A0A918C764
            Function 030347FB Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc4bd3ca4ebd8fcdff5c669ed6bea37f5ce7191f8d80dc32ab14c5c1981b38d8
            • Instruction ID: c57488a96275124413a0a01d2fbbaa4c2c3128f3e17665867c1262536d1d1084
            • Opcode Fuzzy Hash: bc4bd3ca4ebd8fcdff5c669ed6bea37f5ce7191f8d80dc32ab14c5c1981b38d8
            • Instruction Fuzzy Hash: 82F0673D9176E49FD7A2CB6AC444B69B7DCDB02A60F0C89AAD4898F541C764D881CA50
            Function 030EF6C7 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e31d227e679a6a0ccd5c1109028a6748f7353faf65c725043636135f5df4b731
            • Instruction ID: 87626d81db2f7963ca844e2ae58697cc1dda572e4e10f8d5c936ef62e45ae69e
            • Opcode Fuzzy Hash: e31d227e679a6a0ccd5c1109028a6748f7353faf65c725043636135f5df4b731
            • Instruction Fuzzy Hash: 1FF06275A11348EFDB04EFA9D405E9EB7F4AF48304F0040A9E541EB281DA74D900CB54
            Function 030F0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 391242586c38ac10aa1ab21e0258e3058191c0eb14dd967852af7c0bbfff2f6f
            • Instruction ID: 68b615f0b4b18feb4d0d771abe5f449ff7ff5a3573a8c57824ce2d0689c4b182
            • Opcode Fuzzy Hash: 391242586c38ac10aa1ab21e0258e3058191c0eb14dd967852af7c0bbfff2f6f
            • Instruction Fuzzy Hash: 3CF0273A51B7C45ECF75FB2C75502D1AF98A79A110F1D1485C5A16B646C9B488D3C630
            Function 0310539D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8fc840cfc63b48f092a2d21bd3748913178db7f6e959b5b83ab29ec2ee15c626
            • Instruction ID: 4b6ee7f79b33b766b26c475afca313d67a7594094ab4c64ec9498bc39394cba5
            • Opcode Fuzzy Hash: 8fc840cfc63b48f092a2d21bd3748913178db7f6e959b5b83ab29ec2ee15c626
            • Instruction Fuzzy Hash: 2AF05474A1534CAFDB08EF79E555E9EB7B4EF48304F108095E501EF281DAB4D901CB65
            Function 03105283 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0706c018954fab5474582440cbed4019fa1a5106047d4928d974d78bbb053ba5
            • Instruction ID: 18f10cf3700a11811dcfc117130a18aa9adc567d66b4c99bb424dc706799b88a
            • Opcode Fuzzy Hash: 0706c018954fab5474582440cbed4019fa1a5106047d4928d974d78bbb053ba5
            • Instruction Fuzzy Hash: 28F05474A15348EBDB08EFA5D515EAEB7B4BF48300F444499A541EB2C1EB74D9008B55
            Function 031052E2 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 732388e3a966be6f7c3326964db6979d19035c6604237cead5bd8cf590dc6ee7
            • Instruction ID: dacf836ad93a9d9e76e5099df608bf5f20a6ee192a62248d1ee987a8b785930a
            • Opcode Fuzzy Hash: 732388e3a966be6f7c3326964db6979d19035c6604237cead5bd8cf590dc6ee7
            • Instruction Fuzzy Hash: EDF0B474A14348ABDB08EFB5E501EAEB3B4AF48300F044098A401EF2C0DA74D900CB54
            Function 03072619 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction ID: d0607da6acd74b4f96875b5af795d5dce067d8c6563a62788fd48cf8d47e1391
            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction Fuzzy Hash: BBE092727026002BD721DE5ACC84F8777AEAFC6B10F04047AB5045E251CAE29D1982A8
            Function 03105341 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e3c707b7b7e66df0871a9bbdca8eecc75db9db563c68c19fc79cbfdd4e67a7cb
            • Instruction ID: b4d885537d1ef29f4f32bac72e304200dd26c4acd9bf9bc29f2036ab77945e8d
            • Opcode Fuzzy Hash: e3c707b7b7e66df0871a9bbdca8eecc75db9db563c68c19fc79cbfdd4e67a7cb
            • Instruction Fuzzy Hash: F3F02774E0530CEBDB08EBB9D845E9EB7B4EF49300F100098E401EF2D0EA74D9008718
            Function 03067208 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 26af69c79818a2097ddddf6121fd4655cebce0412fd20454321d2ce714c0ab66
            • Instruction ID: 0056834631b393e456d4c4f4ccf3c3944c120048616267eae737512a5bd6d8f9
            • Opcode Fuzzy Hash: 26af69c79818a2097ddddf6121fd4655cebce0412fd20454321d2ce714c0ab66
            • Instruction Fuzzy Hash: BCF0EC79913A849FD7A2C3BEE084B22B3D99F00B70F0D84A0D4098B602CBA8C880C290
            Function 03105227 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16bb22f46adceb2492bd22a960f233ec9059ac09410a757c165b7d3f845e7772
            • Instruction ID: 04794314e4a36dada4328834d0f94aed91148ae70b0d5a971bea42f2b75fc6a5
            • Opcode Fuzzy Hash: 16bb22f46adceb2492bd22a960f233ec9059ac09410a757c165b7d3f845e7772
            • Instruction Fuzzy Hash: D0F08974A15348EBDB14EBA5D515EAE73B4AF48704F044494A501DB2C1DA74D9008759
            Function 031051CB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02bcae95dee02909a51aadc4fd6e06f1e14902a914cc37d2eb279a2a7e8b06c2
            • Instruction ID: 7f9a5c57649423e6a71ad878066193bffd68423e7c696e4ae012b8d30726f0cf
            • Opcode Fuzzy Hash: 02bcae95dee02909a51aadc4fd6e06f1e14902a914cc37d2eb279a2a7e8b06c2
            • Instruction Fuzzy Hash: F9F08974A15248EBDB04EBA5D515E9E73B4EF48304F040055B501DB2C1E674E900C759
            Function 030AD070 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction ID: c690acefca7eb5d44319ffd357455df9bd339bc8dfdd854babf39bdb53ca4d5b
            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction Fuzzy Hash: 10F0E53360561467C230BA4D8C05F9BFBACDBD5B70F10432ABA249B1D0DA70AA11D7D6
            Function 030EF72E Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 61bf9530751c4a687e8bbf83f778fd576bd0674744bb7ecf5b369ecb5896ff4c
            • Instruction ID: 4a238f1407de3076e1cb180f0ab18ead8051fdf6a67b7c2f4c2c33bb92fb7c17
            • Opcode Fuzzy Hash: 61bf9530751c4a687e8bbf83f778fd576bd0674744bb7ecf5b369ecb5896ff4c
            • Instruction Fuzzy Hash: 7AF0E274A02348AFDB04EBA9D555E9F77B4EF48700F0100A4E141EB280D974D9009758
            Function 03030710 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction ID: 779a8a767508e5ba438e4a580098120e76a1e2bcc122e7aa369524df57e1e8fe
            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction Fuzzy Hash: D6F0E53D7073409FDB15DF15D040ADA7BECEB42350B0404D4E8428B301DB31E982CB80
            Function 031037B6 Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction ID: 592965b71ba04c6ebbb25478bd0d65a1fbc0c531b2c5ecce3c46d8fe2db320b9
            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction Fuzzy Hash: CFE092B6211204BFE764EB58CD05FE673ECEB44720F140658B125970D0DBB0BE40CB64
            Function 030B4000 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction ID: dbbbd08cf7c53fb60c880b575d9a27b6414d5ee6a21c9775e416fc2496cc468c
            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction Fuzzy Hash: 98E0C2343103058FD755CF1AC044BA2B7F6BFD5A10F28C068A8488F206EB32E942CB40
            Function 030EB3D0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction ID: 181b1eb719aa909f46a4d98429c1664d57f68b6c97142a784f3a9f596983f0d3
            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction Fuzzy Hash: D6E0CD35346314BBDB22AA50CC00FA97B55DB807D0F104031FB085EA50C571DD51D7D4
            Function 0302823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: 18e1c369a48bdf531232fcffb824c32fe05e5dd3fb7a19f117e78f155689007b
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: D2E08C39503A20EEDB31EF11DC04B967AA9FB84B10F148C69E0810A4A48770A895DB48
            Function 030B92BC Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 49e094fcacc3523dbd8b0c02523075c10619e7454af5e2d6d65bc680a31cdae6
            • Instruction ID: ba3e07981a22dee0d72e4395d57b8387050d7754385098402ef48dde58d883a6
            • Opcode Fuzzy Hash: 49e094fcacc3523dbd8b0c02523075c10619e7454af5e2d6d65bc680a31cdae6
            • Instruction Fuzzy Hash: 30F0ED34652B84CFE72EDF04C1E1B5173B9F759B40F500458D4464BBA1C73A9941CA50
            Function 03032050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b01601a79e37ce7f5baa38a5350093756f74453d657efbcec117d932a4c41b1
            • Instruction ID: cc26e844358e936e3ce9f77ab498a21f16e90a3976e942324df89d673cbe8747
            • Opcode Fuzzy Hash: 4b01601a79e37ce7f5baa38a5350093756f74453d657efbcec117d932a4c41b1
            • Instruction Fuzzy Hash: 6FE0C232201654ABC321FB5DDD00F8A739EEFE5360F004121F1508F6D0CA60AD50C794
            Function 0302A0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: ce2c182f77b530b7b6e2dc9b619333bdf9d32380591e63e8e98fa9fc527b68db
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: 37D0123631717097CB29E6556954FA7AD559BC1AA4F1A006D780AD7900CD158C82D7E0
            Function 030402A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: c530bb5384036566a0fbb9745759b70f6ac68750a5212e3938a971e8da9f4551
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: 44D09275213A80CFD65ACB09C6A4B16B3A8BB44A44F8508A0E501CBB61D668EA40CA00
            Function 030B930B Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction ID: d27fdccbe3c581967e9916bc78d8a77ac6236bb6f24a5687e3689a96b69bc48b
            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction Fuzzy Hash: 26D05E35946AC4CFE727CB08C165B907BF8F705F40F890098E04247BA2C37C9984CB14
            Function 0306C700 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction ID: 1e344e277649e2742a0fc3f0db720c4b73b7aa931c2458dee4bdbffd149abae2
            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction Fuzzy Hash: 1BC0123A290648AFC712EA98CD01F427BA9EB98B40F004061F2048B670C631E920EA84
            Function 03050310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: 7da3143d76b8e57cea0eda7d19a875d6db70669ad9ac53a821a87734cf0ad205
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: ECD01236100248EFCB01DF41C890DDE772AFBD8710F148419FD190B6108A31ED62DA50
            Function 03030750 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction ID: ddbe01832254e42a93da901c489723a8ecf6b41655a20a43893028b1903eaa63
            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction Fuzzy Hash: C2C04C797026418FCF15DB19D294F4577E4F744740F1518D0E945CB721E624E911CA10
            Function 03074340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5aff11b2c8bfe41281b9b94079535e458086ec5ba879a78feb8cd395cf8a732d
            • Instruction ID: 01ba5f7c146adeb67287544d76bdd6a3efb55f0173ed54f7b3041f7c1017800d
            • Opcode Fuzzy Hash: 5aff11b2c8bfe41281b9b94079535e458086ec5ba879a78feb8cd395cf8a732d
            • Instruction Fuzzy Hash: EB90023160680412A140B25888C4586404697E0301B95C011E0824558C8B148A565361
            Function 03073010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b3f0529ec851a99ecfd003f5960d117bb6afb1f7af1d1997f8089d41794a367
            • Instruction ID: e0bd43d44e986bd36e8a90078e1262f2de595ab0de44d2c14464fbc3aaa9cc2e
            • Opcode Fuzzy Hash: 7b3f0529ec851a99ecfd003f5960d117bb6afb1f7af1d1997f8089d41794a367
            • Instruction Fuzzy Hash: 8F90022120284842E140B3588844B4F414687E1302FD5C019A4556558CCA1589555721
            Function 03073090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 67fbe63d28bea02e68ff0c88be21d5f291f7e993902b9c70c5cc8bb9024d3e12
            • Instruction ID: ebf75311d4cc6e8be332e1bff245d77dc34c9d21d86c180ee46c09a6e422404c
            • Opcode Fuzzy Hash: 67fbe63d28bea02e68ff0c88be21d5f291f7e993902b9c70c5cc8bb9024d3e12
            • Instruction Fuzzy Hash: 5F90022124240C02E140B258C4547470047C7D0701F95C011A0424558D87168A6566B1
            Function 03074650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14ed5325b8dbeb6e0d777e801b34c7d60feed6bd491ab4d617d6089b64f3d88a
            • Instruction ID: 31c4487d3d9f160c0566974e884df66fb97e06aef162cd4979ea005641b483ea
            • Opcode Fuzzy Hash: 14ed5325b8dbeb6e0d777e801b34c7d60feed6bd491ab4d617d6089b64f3d88a
            • Instruction Fuzzy Hash: 3C900261602504425140B2588844446604697E13013D5C115A0954564C871889559269
            Function 03072B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9beeb3a637d7e1e2757340911299b9da0a37609cc836ce79b00695df2a08aa9e
            • Instruction ID: 227e2f07adcecb058d485ec00e29abd6841de12725c4a87cf210b5026c6d31fc
            • Opcode Fuzzy Hash: 9beeb3a637d7e1e2757340911299b9da0a37609cc836ce79b00695df2a08aa9e
            • Instruction Fuzzy Hash: 6090023120240C02E104B25888446C6004687D0301F95C011A6424659E976589917131
            Function 03072BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fab693e33a595e6f9a93738cbed6d909b737bc8dc3323eaba215097a2c04f2e4
            • Instruction ID: ce895da96dbeacc49fe7a3c7f0bac4081e15daec10a300372ab21e5252573c09
            • Opcode Fuzzy Hash: fab693e33a595e6f9a93738cbed6d909b737bc8dc3323eaba215097a2c04f2e4
            • Instruction Fuzzy Hash: 4790023160640C02E150B2588454786004687D0301F95C011A0424658D87558B5576A1
            Function 03072BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0ce42a06625f11c05117fce9047302c0c86125f4c55c9570ab75b2d8a553bcdc
            • Instruction ID: 255c6646a32e1e43b1bb9576642367f3a175ad6cd3d5e5a7799d590c98329b94
            • Opcode Fuzzy Hash: 0ce42a06625f11c05117fce9047302c0c86125f4c55c9570ab75b2d8a553bcdc
            • Instruction Fuzzy Hash: A290023120644C42E140B2588444A86005687D0305F95C011A0464698D97258E55B661
            Function 03072BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d2ecd73aa1907b577acb52217f195f2fd39b1b1382e17cea329659f9e51632c7
            • Instruction ID: 3c6f16fb4803e66306a919d02b0ed0964663dd0b229da0ff1e2f2945a35aba23
            • Opcode Fuzzy Hash: d2ecd73aa1907b577acb52217f195f2fd39b1b1382e17cea329659f9e51632c7
            • Instruction Fuzzy Hash: F390023120240C02E180B258844468A004687D1301FD5C015A0425658DCB158B5977A1
            Function 03072AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 71950d6b2a273f71883d471caa27ddedf2f94ad0f65f25460e9e9e55a31a77e6
            • Instruction ID: 53bfc74c396a34ef3c976f83325eaf9fe084aecaadfc8bf3f95ec0c3c13504d4
            • Opcode Fuzzy Hash: 71950d6b2a273f71883d471caa27ddedf2f94ad0f65f25460e9e9e55a31a77e6
            • Instruction Fuzzy Hash: 999002A1202544925500F358C444B4A454687E0301B95C016E1454564CC62589519135
            Function 03072AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5adf3f4f62f1743d398325e58fefc8934ea559047cfa1af1e324c326111b5bc7
            • Instruction ID: 543774f7e8848665e136c1e0f34eddc367816028f2ef09b3cb3deb809d18aca6
            • Opcode Fuzzy Hash: 5adf3f4f62f1743d398325e58fefc8934ea559047cfa1af1e324c326111b5bc7
            • Instruction Fuzzy Hash: AB900435313404031105F75C474454700C7C7D53513D5C031F1415554CD731CD715131
            Function 03072AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 48a5500da2e201d55830f8e5a5e9021066021698078473febf91685f13109a5c
            • Instruction ID: 6a6754bd2313b40ec769639cad49c7e8b135cf34327a501fa8046361ee866ac6
            • Opcode Fuzzy Hash: 48a5500da2e201d55830f8e5a5e9021066021698078473febf91685f13109a5c
            • Instruction Fuzzy Hash: 67900225222404021145F658464454B048697D63513D5C015F1816594CC72189655321
            Function 030739B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9043e7893926109a5e40f856afe00e99608a6da5a502914f29dc5028e37f9670
            • Instruction ID: eb156590f21a9b630ce5d02182779a646c02addbd681235926ae6803285b9f27
            • Opcode Fuzzy Hash: 9043e7893926109a5e40f856afe00e99608a6da5a502914f29dc5028e37f9670
            • Instruction Fuzzy Hash: 2190022124645502E150B25C84446564046A7E0301F95C021A0C14598D865589556221
            Function 03072F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd8937a8ea712eafacd35b8d478e011a7bcaed903b5ecfcd1669dca501ad6880
            • Instruction ID: c0a0d0c4ee9ba504824587f5a3972a5381c4084f3c484e40d383d1b7c7ac4cc6
            • Opcode Fuzzy Hash: cd8937a8ea712eafacd35b8d478e011a7bcaed903b5ecfcd1669dca501ad6880
            • Instruction Fuzzy Hash: CE90026134240842E100B2588454B460046C7E1301F95C015E1464558D8719CD526126
            Function 03072F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 567ab1fd4de1de95b172f8c2f5c4e4e410b6c917e67f7578829b5e2cdacc1e1b
            • Instruction ID: 589c443384bfd58a6036586d82a3e4897951327609ead191bf57e50a6527f1d6
            • Opcode Fuzzy Hash: 567ab1fd4de1de95b172f8c2f5c4e4e410b6c917e67f7578829b5e2cdacc1e1b
            • Instruction Fuzzy Hash: 4F90026121240442E104B2588444746008687E1301F95C012A2554558CC6298D615125
            Function 03072F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c7d4130e7069615d1400ed92d3bcc369ed40eecc1dd307a35a5b2e007344fbed
            • Instruction ID: add784bdaf0fe916617e9a67b52b4f221d05125f7eb078418e6adbe9b58e3c00
            • Opcode Fuzzy Hash: c7d4130e7069615d1400ed92d3bcc369ed40eecc1dd307a35a5b2e007344fbed
            • Instruction Fuzzy Hash: 3890023120280802E100B258885474B004687D0302F95C011A1564559D872589516571
            Function 03072FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8bdbddd1bd6ce66043a5e409307a4e6634204e68a5fc178ace44273cb116fc7a
            • Instruction ID: a9c794e1701644b40bffe02d8802be2308a351e11e4070e73799f881a963a181
            • Opcode Fuzzy Hash: 8bdbddd1bd6ce66043a5e409307a4e6634204e68a5fc178ace44273cb116fc7a
            • Instruction Fuzzy Hash: E290023120280802E100B2588848787004687D0302F95C011A5564559E8765C9916531
            Function 03072FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 655b17162b0e3aeffe7f3ca3bbc74c6f42d6bac28e3dac494b0994ccbefbebd0
            • Instruction ID: 65afde1f8cfe999067e12f5c41dbe510717b95ea0f6be72c69ea0bf165d23a1e
            • Opcode Fuzzy Hash: 655b17162b0e3aeffe7f3ca3bbc74c6f42d6bac28e3dac494b0994ccbefbebd0
            • Instruction Fuzzy Hash: E5900221602404425140B268C8849464046ABE1311795C121A0D98554D865989655665
            Function 03072FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47afe021aebfc917bddc87b01181fd5393b9f69e753dd3badc6a1f1776a78216
            • Instruction ID: 03b7dc2d073b18c54f35ab2ab09424512d4a4b3285f8a516415e83477771e312
            • Opcode Fuzzy Hash: 47afe021aebfc917bddc87b01181fd5393b9f69e753dd3badc6a1f1776a78216
            • Instruction Fuzzy Hash: 1A900221212C0442E200B6688C54B47004687D0303F95C115A0554558CCA1589615521
            Function 03072E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ef01c826e4f2d491ced91db91d96c5f33a0271ec591378117fc246f367cf24cb
            • Instruction ID: 53e1e59cc55c36c8eb81471fc9d623e8d898e9c8c1f12b73d69f62b399d5d0d6
            • Opcode Fuzzy Hash: ef01c826e4f2d491ced91db91d96c5f33a0271ec591378117fc246f367cf24cb
            • Instruction Fuzzy Hash: D590022130240802E102B2588454646004AC7D1345FD5C012E1824559D87258A53A132
            Function 03072E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 39a27428b8f1fdbe3449d8ea03080ed833af42c4b7004e16f833bf3261f6114e
            • Instruction ID: 978006cc818ad45688e9bf3326130e6f60e5a08615a408aec7e73aba200f319b
            • Opcode Fuzzy Hash: 39a27428b8f1fdbe3449d8ea03080ed833af42c4b7004e16f833bf3261f6114e
            • Instruction Fuzzy Hash: 2090022160240902E101B2588444656004B87D0341FD5C022A1424559ECB258A92A131
            Function 03072EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e98725506c98022ba5deacef4cc9964df7cd60aa99bf7288232664f7e78c8b65
            • Instruction ID: 59181bd4e2d6fd29544c31fa701e200b18705e20aa5500c56e524898d07dc6d6
            • Opcode Fuzzy Hash: e98725506c98022ba5deacef4cc9964df7cd60aa99bf7288232664f7e78c8b65
            • Instruction Fuzzy Hash: FA90027120240802E140B2588444786004687D0301F95C011A5464558E87598ED56665
            Function 03072EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ef96ed259ca64e9fc2418f0eacf27e677f9433b92b9ec748356f8cbe9a1dc667
            • Instruction ID: 3b6bb0c34a6ba2ec1a1f678cdc35a72b6daae2aa2892e3d3dcdf912f82107a26
            • Opcode Fuzzy Hash: ef96ed259ca64e9fc2418f0eacf27e677f9433b92b9ec748356f8cbe9a1dc667
            • Instruction Fuzzy Hash: 8690026120280803E140B6588844647004687D0302F95C011A2464559E8B298D516135
            Function 03072D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0b24b08cd9b73036ac379a5c449e85c6081021d73db1d86b1e01f7cdc8b93ac
            • Instruction ID: 0bc5dc4228b72584672d1f4bbae8f9f53ef7260f8db34b8434486fd1bd405ca5
            • Opcode Fuzzy Hash: b0b24b08cd9b73036ac379a5c449e85c6081021d73db1d86b1e01f7cdc8b93ac
            • Instruction Fuzzy Hash: 9290022120644842E100B6589448A46004687D0305F95D011A1464599DC7358951A131
            Function 03072D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 062179a3dbf3215bde3c83ad06605c2c06b336800e7d10bc57b7e40d42a9d8ed
            • Instruction ID: ab0f1fbdc6f89c7dc8aca5e5c922a93baeac8626dd8c408127e529d253689b7b
            • Opcode Fuzzy Hash: 062179a3dbf3215bde3c83ad06605c2c06b336800e7d10bc57b7e40d42a9d8ed
            • Instruction Fuzzy Hash: B890022921340402E180B258944864A004687D1302FD5D415A041555CCCA1589695321
            Function 03073D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e7ee507783092ba30be6069646c793fb114ad41006c3fffcf7a0911945683dbe
            • Instruction ID: 78b4e79fd1b16aa4bb57255434fa8ce5aefa62395f07a379fa2cd7aea63590db
            • Opcode Fuzzy Hash: e7ee507783092ba30be6069646c793fb114ad41006c3fffcf7a0911945683dbe
            • Instruction Fuzzy Hash: 3D90023120340542A540B3589844A8E414687E1302BD5D415A0415558CCA1489615221
            Function 03072D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6eced130dffc702fe6f3e77ff98dc75140229b264900807e194e1423ea3c7460
            • Instruction ID: c6734bda95344e59599846dbd64c33f696c4fd329d6da1672c993ea8dd9f6e79
            • Opcode Fuzzy Hash: 6eced130dffc702fe6f3e77ff98dc75140229b264900807e194e1423ea3c7460
            • Instruction Fuzzy Hash: BF90022130240403E140B25894586464046D7E1301F95D011E0814558CDA1589565222
            Function 03073D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52b3526746390bf4d0e5d58bf27eba5de1f4f22a6abbd35f28c875f5b8991d77
            • Instruction ID: 7d5c2ee8df3fd87a442fced2f2bf09b1ffe7fe3f6b6e38da27442eb94cb4f563
            • Opcode Fuzzy Hash: 52b3526746390bf4d0e5d58bf27eba5de1f4f22a6abbd35f28c875f5b8991d77
            • Instruction Fuzzy Hash: 6490023520240802E510B2589844686008787D0301F95D411A082455CD875489A1A121
            Function 03072DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 668ef1cf4b401e0d3d8e12bb3cf605d23c2aec6012e464b8fe41d16ef49f2796
            • Instruction ID: d9e062dcc6b90e0d271e18a4c10fad491bbdf1ecf487d0e8e18833c814d1d5b6
            • Opcode Fuzzy Hash: 668ef1cf4b401e0d3d8e12bb3cf605d23c2aec6012e464b8fe41d16ef49f2796
            • Instruction Fuzzy Hash: 6E90023124240802E141B2588444646004A97D0341FD5C012A0824558E87558B56AA61
            Function 03072DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c52917ffc51e59714fb4af53e2fa364a478908248d0a18dff09608e6ada1b66e
            • Instruction ID: b4de34f3f80a891febf8bb8f0285f8965509446860203a28027176e33da0a03d
            • Opcode Fuzzy Hash: c52917ffc51e59714fb4af53e2fa364a478908248d0a18dff09608e6ada1b66e
            • Instruction Fuzzy Hash: 86900221243445526545F2588444547404797E03417D5C012A1814954C86269956D621
            Function 03072C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4760b6e73a80a4d2383849cfdc01fa10067def3114f633e339cc56359abd7e35
            • Instruction ID: c975f90432bedbf3e330998a409d7d30fdae0cf2c907d4e67e36df3829efe30c
            • Opcode Fuzzy Hash: 4760b6e73a80a4d2383849cfdc01fa10067def3114f633e339cc56359abd7e35
            • Instruction Fuzzy Hash: 6190023120240C42E100B2588444B86004687E0301F95C016A0524658D8715C9517521
            Function 03072C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb0aaadc08cf1727cb5fdd83109ed87dfd891d00e2d93714d029c7702ee84b82
            • Instruction ID: 3562224f492677f2b485cb2cf162425621684dd381711d8bebde34beaf226a28
            • Opcode Fuzzy Hash: eb0aaadc08cf1727cb5fdd83109ed87dfd891d00e2d93714d029c7702ee84b82
            • Instruction Fuzzy Hash: 2290023120248C02E110B258C44478A004687D0301F99C411A482465CD879589917121
            Function 03072CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 61f04b5bef9c70e658d54790893ffe949106e2065d6732cb5994ddc058554ba5
            • Instruction ID: 91c583f3f708e6fbe1ad4dc74aee16e99e956f0a51ee552c465b15ef6b06fa83
            • Opcode Fuzzy Hash: 61f04b5bef9c70e658d54790893ffe949106e2065d6732cb5994ddc058554ba5
            • Instruction Fuzzy Hash: 2F90023120240802E100B6989448686004687E0301F95D011A5424559EC76589916131
            Function 03072CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bdbcd088faca9f3c05814db7a46bf6bf29a746507b89a9c3545c636118321c7b
            • Instruction ID: 6efa049e2cd7bab178828c8ec39d47d2b40bb7367f216bd2368c40e8e80b6f1e
            • Opcode Fuzzy Hash: bdbcd088faca9f3c05814db7a46bf6bf29a746507b89a9c3545c636118321c7b
            • Instruction Fuzzy Hash: CF90022160640802E140B2589458746005687D0301F95D011A0424558DC7598B5566A1
            Function 03072CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d7bfd1d67c067e527357ab28a65b56ba167ca38312b873b8411bd24fa1830154
            • Instruction ID: 0ce7ff1fb4659e164e958a89da5dfcfd2d098133f1c4fb30ba6b3343c487472b
            • Opcode Fuzzy Hash: d7bfd1d67c067e527357ab28a65b56ba167ca38312b873b8411bd24fa1830154
            • Instruction Fuzzy Hash: F190023120240803E100B2589548747004687D0301F95D411A082455CDD75689516121
            Function 03072C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: aa0057e010792f307a6ad3e6794302dc3919de950015b0dfa45c354223d9da06
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 03072890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 7571d4bde9114c4bfa716bc39e82b9ad540c0fad8759619d06ce9268a5617136
            • Instruction ID: 3dd43c5e8df5d4a541ff5e8d49eaa179178be37ac947891ec34abaa15eb6841b
            • Opcode Fuzzy Hash: 7571d4bde9114c4bfa716bc39e82b9ad540c0fad8759619d06ce9268a5617136
            • Instruction Fuzzy Hash: 8851E9B5F02556BFCB60DBAC889057EF7FCBB48200B188569E4A5D7681D234DE40CBA4
            Function 03067630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 030A4742
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 030A4725
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 030A4787
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 030A4655
            • Execute=1, xrefs: 030A4713
            • ExecuteOptions, xrefs: 030A46A0
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 030A46FC
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: c965e57698fedb32bb65b30a8b9c00417ad74d81fea22995a627e93a9b9e56e0
            • Instruction ID: 78dcd32c70aaf640c9cab70d964d0d71dc444305b0533e176ea2e15831aeb794
            • Opcode Fuzzy Hash: c965e57698fedb32bb65b30a8b9c00417ad74d81fea22995a627e93a9b9e56e0
            • Instruction Fuzzy Hash: 16511B35A023197ADF25EBA9EC45FEE73B8EF44704F0404A9E505AB191D7B09A41CF51
            Function 0307B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction ID: f5ceeaa8e5a1b03da3c5f7c22b5059c6b783afc11a4e2b0d857a0c3f76189cf8
            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction Fuzzy Hash: 4081AE70E072499FDF64CE68C8917FEBBF5AF45310F1C865AD861AB390C6349941CB58
            Function 0305F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Re-Waiting, xrefs: 030A031E
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 030A02E7
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 030A02BD
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: aa5b3dd0ed81022b3e495cd044bdbb230278ef5cfef707194830906af20f7347
            • Instruction ID: 2db8c7809eccb387bbab7755e55e440a5e1c3268c69996faf324d820e075a062
            • Opcode Fuzzy Hash: aa5b3dd0ed81022b3e495cd044bdbb230278ef5cfef707194830906af20f7347
            • Instruction Fuzzy Hash: 7BE1CD35606B46DFD764CF28C884B6BB7E4BB88314F184A6DF8A58B2D0D778D844CB42
            Function 0306BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Re-Waiting, xrefs: 030A7BAC
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 030A7B7F
            • RTL: Resource at %p, xrefs: 030A7B8E
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: 1bd38d0dfefade9024388b76cb4247a7291fe0d779d0a202cee1180e11bde72e
            • Instruction ID: 5c68524538c811c45ac33e6c267ec5267953106bd79f41ab44d2f7c244cb31fb
            • Opcode Fuzzy Hash: 1bd38d0dfefade9024388b76cb4247a7291fe0d779d0a202cee1180e11bde72e
            • Instruction Fuzzy Hash: DD4126757027029FC724DF6ACC40B6AB7E9EF88710F044A2DF85ADB290DB71E4058B91
            Function 0306B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030A728C
            Strings
            • RTL: Re-Waiting, xrefs: 030A72C1
            • RTL: Resource at %p, xrefs: 030A72A3
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 030A7294
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: ed38c1ad9db818f2e3b0b3d77d36f88683240072877618fcb95b8c8b661dcc27
            • Instruction ID: 1a106c665ac3f352fff669199b654399dcfb32c0e85686191612411cfb348299
            • Opcode Fuzzy Hash: ed38c1ad9db818f2e3b0b3d77d36f88683240072877618fcb95b8c8b661dcc27
            • Instruction Fuzzy Hash: 6041F275702706ABC720DEA9CC41BAAB7E5FF84B10F148A29F855EB640DB21E81287D1
            Function 03077D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction ID: abd2e0749aab9e49970beb63c65aea8394311e1fb8954c30f016bce8e0254830
            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction Fuzzy Hash: 3691D670E0220A9BDF64DF69C9857BEB7F5FF44BA0F18851AE865E72C0D73089418768
            Function 03039126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: eb1fcc16ae508bd7c970d6c938cc0dc52c47e1f6cfdc15088a9195b025f5fd8f
            • Instruction ID: f95edb3e29bdc727553f147ea92e2464b4e180261d036fb99a993f21c44497c0
            • Opcode Fuzzy Hash: eb1fcc16ae508bd7c970d6c938cc0dc52c47e1f6cfdc15088a9195b025f5fd8f
            • Instruction Fuzzy Hash: 14813876D01269EBDB35DF54CC44BEEB7B8AB48710F0445EAA919B7280D7709E80CFA0
            Function 030BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
            Download Yara Rule
            APIs
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 030BCFBD
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1670228528.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3000000_svchost.jbxd
            Similarity
            • API ID: CallFilterFunc@8
            • String ID: @$@4Qw@4Qw
            • API String ID: 4062629308-2383119779
            • Opcode ID: b48ba49f2d2e8573c1e619830deddd924a5ee17c800bff8f0e17d8ae9f67c9d1
            • Instruction ID: 567e4c55e478eff1b11aaacca8fd94dd8f5d0b877ddaaf1f01ac88259ae5d752
            • Opcode Fuzzy Hash: b48ba49f2d2e8573c1e619830deddd924a5ee17c800bff8f0e17d8ae9f67c9d1
            • Instruction Fuzzy Hash: 8941D2B9A01228DFCB21DF95D840AEEFBF8EF99B00F04446AE910DB254D734D941CB60