Edit tour

Windows Analysis Report
Commercial Invoice Packing list.exe

Overview

General Information

Sample name:	Commercial Invoice Packing list.exe
Analysis ID:	1522687
MD5:	584c4505475c015b4a7b0b73b60a6e73
SHA1:	b8abcb6fbba8aec4c83cf245fc03b522cd27d864
SHA256:	bc50c75d095285bf6687dfc4e5a94d83b43514328d199f95ec1c593598ebc206
Tags:	exe
Infos:

Detection

FormBook

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Commercial Invoice Packing list.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe" MD5: 584C4505475C015B4A7B0B73B60A6E73)

svchost.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bd50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13e1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f1f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e3f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x164c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f1f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", CommandLine: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", CommandLine|base64offset|contains: "{, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", ParentImage: C:\Users\user\Desktop\Commercial Invoice Packing list.exe, ParentProcessId: 3232, ParentProcessName: Commercial Invoice Packing list.exe, ProcessCommandLine: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", ProcessId: 4508, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", CommandLine: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", CommandLine|base64offset|contains: "{, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", ParentImage: C:\Users\user\Desktop\Commercial Invoice Packing list.exe, ParentProcessId: 3232, ParentProcessName: Commercial Invoice Packing list.exe, ProcessCommandLine: "C:\Users\user\Desktop\Commercial Invoice Packing list.exe", ProcessId: 4508, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Commercial Invoice Packing list.exe	ReversingLabs: Detection: 34%
Source: Commercial Invoice Packing list.exe	Virustotal: Detection: 29%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Commercial Invoice Packing list.exe

Joe Sandbox ML: detected

Source: Commercial Invoice Packing list.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.1397508645.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1395710369.0000000003800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000003.1397508645.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1395710369.0000000003800000.00000004.00000020.00020000.00000000.sdmp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Commercial Invoice Packing list.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C473 NtClose,	2_2_0042C473
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk,	2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74340 NtSetContextThread,	2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73090 NtSetValueKey,	2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73010 NtOpenDirectoryObject,	2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74650 NtSuspendThread,	2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BE0 NtQueryValueKey,	2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BF0 NtAllocateVirtualMemory,	2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B80 NtQueryInformationFile,	2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BA0 NtEnumerateValueKey,	2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AD0 NtReadFile,	2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AF0 NtWriteFile,	2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AB0 NtWaitForSingleObject,	2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C739B0 NtGetContextThread,	2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FE0 NtCreateFile,	2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F90 NtProtectVirtualMemory,	2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FA0 NtQuerySection,	2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FB0 NtResumeThread,	2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F60 NtCreateProcessEx,	2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F30 NtCreateSection,	2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EE0 NtQueueApcThread,	2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E80 NtReadVirtualMemory,	2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken,	2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E30 NtWriteVirtualMemory,	2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DD0 NtDelayExecution,	2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DB0 NtEnumerateKey,	2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D70 NtOpenThread,	2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D00 NtSetInformationFile,	2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D10 NtMapViewOfSection,	2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D10 NtOpenProcessToken,	2_2_03C73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D30 NtUnmapViewOfSection,	2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CC0 NtQueryVirtualMemory,	2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CF0 NtOpenProcess,	2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CA0 NtQueryInformationToken,	2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C60 NtCreateKey,	2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C70 NtFreeVirtualMemory,	2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C00 NtQueryInformationProcess,	2_2_03C72C00

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402920	2_2_00402920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401240	2_2_00401240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403200	2_2_00403200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EAE3	2_2_0042EAE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402410	2_2_00402410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FCAA	2_2_0040FCAA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FCB3	2_2_0040FCB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004045C4	2_2_004045C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402610	2_2_00402610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041662E	2_2_0041662E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416633	2_2_00416633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FED3	2_2_0040FED3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF53	2_2_0040DF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D003E6	2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF81CC	2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D001AA	2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7516C	2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B16B	2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30100	2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF0CC	2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF70E9	2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF0E0	2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF7B0	2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64750	2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C6E0	2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D00591	2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDD5B0	2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7571	2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEE4F6	2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF2446	2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31460	2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF43F	2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF6BD7	2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7DBF9	2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FB80	2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFB76	2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEDAC6	2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDDAAC	2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85AA0	2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFA49	2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7A46	2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB3A6C	2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0A9A6	2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49950	2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B950	2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C438E0	2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E8F0	2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C268B8	2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4A840	2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD800	2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4CFE0	2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41F92	2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFFB1	2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4F40	2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFF09	2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C82F28	2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60F30	2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEEDB	2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52E90	2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFCE93	2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49EB0	2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40E59	2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEE26	2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FDC0	2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3ADE0	2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C58DBF	2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43D40	2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF1D5A	2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7D73	2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4AD00	2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30CF2	2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFCF2	2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0CB5	2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40C00	2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB9C32	2_2_03CB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 265 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 89 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times

Source: Commercial Invoice Packing list.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

File created: C:\Users\user~1\AppData\Local\Temp\bezzo

Jump to behavior

Source: Commercial Invoice Packing list.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Commercial Invoice Packing list.exe	ReversingLabs: Detection: 34%
Source: Commercial Invoice Packing list.exe	Virustotal: Detection: 29%

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

File read: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Commercial Invoice Packing list.exe "C:\Users\user\Desktop\Commercial Invoice Packing list.exe"
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Commercial Invoice Packing list.exe"
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Commercial Invoice Packing list.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Commercial Invoice Packing list.exe

Static file information: File size 1400397 > 1048576

Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.1397508645.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1395710369.0000000003800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000003.1397508645.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1395710369.0000000003800000.00000004.00000020.00020000.00000000.sdmp

Source: Commercial Invoice Packing list.exe

Static PE information: real checksum: 0xa2135 should be: 0x161b9e

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D853 push edi; iretd	2_2_0042D85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A036 push edi; ret	2_2_0041A03F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D1BA push ss; retf	2_2_0040D1BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040222C push ecx; retf	2_2_0040231F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041AA87 push edi; iretd	2_2_0041AA93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D3DC push es; ret	2_2_0040D3E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415474 push edx; ret	2_2_00415475
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041543B push ebp; iretd	2_2_0041543C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004034A0 push eax; ret	2_2_004034A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418D13 push edi; ret	2_2_00418D14
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408682 push fs; iretd	2_2_00408684
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413F43 pushfd ; iretw	2_2_004140C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423737 push 8DB602B4h; retf	2_2_0042373D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx	2_2_03C309B6

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

API/Special instruction interceptor: Address: 41CB254

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0041480C rdtsc

2_2_0041480C

Source: C:\Windows\SysWOW64\svchost.exe

API coverage: 0.7 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6172

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0041480C rdtsc

2_2_0041480C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004175E3 LdrLoadDll,

2_2_004175E3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEB3D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CEB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF3E6 mov eax, dword ptr fs:[00000030h]	2_2_03CEF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D053FC mov eax, dword ptr fs:[00000030h]	2_2_03D053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]	2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0539D mov eax, dword ptr fs:[00000030h]	2_2_03D0539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A mov eax, dword ptr fs:[00000030h]	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A mov eax, dword ptr fs:[00000030h]	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C533A5 mov eax, dword ptr fs:[00000030h]	2_2_03C533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C633A0 mov eax, dword ptr fs:[00000030h]	2_2_03C633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C633A0 mov eax, dword ptr fs:[00000030h]	2_2_03C633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C mov eax, dword ptr fs:[00000030h]	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C mov eax, dword ptr fs:[00000030h]	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D05341 mov eax, dword ptr fs:[00000030h]	2_2_03D05341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29353 mov eax, dword ptr fs:[00000030h]	2_2_03C29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29353 mov eax, dword ptr fs:[00000030h]	2_2_03C29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF367 mov eax, dword ptr fs:[00000030h]	2_2_03CEF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]	2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h]	2_2_03C37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h]	2_2_03C37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h]	2_2_03C37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h]	2_2_03CB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h]	2_2_03CB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h]	2_2_03CB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]	2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D mov eax, dword ptr fs:[00000030h]	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D mov eax, dword ptr fs:[00000030h]	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5F32A mov eax, dword ptr fs:[00000030h]	2_2_03C5F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C27330 mov eax, dword ptr fs:[00000030h]	2_2_03C27330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C392C5 mov eax, dword ptr fs:[00000030h]	2_2_03C392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C392C5 mov eax, dword ptr fs:[00000030h]	2_2_03C392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h]	2_2_03C2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h]	2_2_03C2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h]	2_2_03C2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5F2D0 mov eax, dword ptr fs:[00000030h]	2_2_03C5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5F2D0 mov eax, dword ptr fs:[00000030h]	2_2_03C5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D052E2 mov eax, dword ptr fs:[00000030h]	2_2_03D052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF2F8 mov eax, dword ptr fs:[00000030h]	2_2_03CEF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C292FF mov eax, dword ptr fs:[00000030h]	2_2_03C292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D05283 mov eax, dword ptr fs:[00000030h]	2_2_03D05283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6329E mov eax, dword ptr fs:[00000030h]	2_2_03C6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6329E mov eax, dword ptr fs:[00000030h]	2_2_03C6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]	2_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]	2_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]	2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]	2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]	2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]	2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC72A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC72A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB92BC mov eax, dword ptr fs:[00000030h]	2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB92BC mov eax, dword ptr fs:[00000030h]	2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB92BC mov ecx, dword ptr fs:[00000030h]	2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB92BC mov ecx, dword ptr fs:[00000030h]	2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29240 mov eax, dword ptr fs:[00000030h]	2_2_03C29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29240 mov eax, dword ptr fs:[00000030h]	2_2_03C29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6724D mov eax, dword ptr fs:[00000030h]	2_2_03C6724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]	2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEB256 mov eax, dword ptr fs:[00000030h]	2_2_03CEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEB256 mov eax, dword ptr fs:[00000030h]	2_2_03CEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]	2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFD26B mov eax, dword ptr fs:[00000030h]	2_2_03CFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFD26B mov eax, dword ptr fs:[00000030h]	2_2_03CFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]	2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C59274 mov eax, dword ptr fs:[00000030h]	2_2_03C59274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C71270 mov eax, dword ptr fs:[00000030h]	2_2_03C71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C71270 mov eax, dword ptr fs:[00000030h]	2_2_03C71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C67208 mov eax, dword ptr fs:[00000030h]	2_2_03C67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C67208 mov eax, dword ptr fs:[00000030h]	2_2_03C67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D05227 mov eax, dword ptr fs:[00000030h]	2_2_03D05227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]	2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6D1D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6D1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03C6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D051CB mov eax, dword ptr fs:[00000030h]	2_2_03D051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]	2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C351ED mov eax, dword ptr fs:[00000030h]	2_2_03C351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]	2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]	2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]	2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C87190 mov eax, dword ptr fs:[00000030h]	2_2_03C87190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]	2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]	2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]	2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]	2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D05152 mov eax, dword ptr fs:[00000030h]	2_2_03D05152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]	2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]	2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]	2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]	2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C37152 mov eax, dword ptr fs:[00000030h]	2_2_03C37152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]	2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC9179 mov eax, dword ptr fs:[00000030h]	2_2_03CC9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]	2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]	2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31131 mov eax, dword ptr fs:[00000030h]	2_2_03C31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31131 mov eax, dword ptr fs:[00000030h]	2_2_03C31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]	2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]	2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]	2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]	2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D050D9 mov eax, dword ptr fs:[00000030h]	2_2_03D050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD0C0 mov eax, dword ptr fs:[00000030h]	2_2_03CAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD0C0 mov eax, dword ptr fs:[00000030h]	2_2_03CAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]	2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C590DB mov eax, dword ptr fs:[00000030h]	2_2_03C590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C550E4 mov eax, dword ptr fs:[00000030h]	2_2_03C550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C550E4 mov ecx, dword ptr fs:[00000030h]	2_2_03C550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]	2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]	2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D08D mov eax, dword ptr fs:[00000030h]	2_2_03C2D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C35096 mov eax, dword ptr fs:[00000030h]	2_2_03C35096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5D090 mov eax, dword ptr fs:[00000030h]	2_2_03C5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5D090 mov eax, dword ptr fs:[00000030h]	2_2_03C5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6909C mov eax, dword ptr fs:[00000030h]	2_2_03C6909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]	2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD705E mov ebx, dword ptr fs:[00000030h]	2_2_03CD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD705E mov eax, dword ptr fs:[00000030h]	2_2_03CD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B052 mov eax, dword ptr fs:[00000030h]	2_2_03C5B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB106E mov eax, dword ptr fs:[00000030h]	2_2_03CB106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D05060 mov eax, dword ptr fs:[00000030h]	2_2_03D05060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov ecx, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]	2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]	2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD070 mov ecx, dword ptr fs:[00000030h]	2_2_03CAD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]	2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]	2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]	2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]	2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]	2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]	2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h]	2_2_03C357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h]	2_2_03C357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h]	2_2_03C357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3D7E0 mov ecx, dword ptr fs:[00000030h]	2_2_03C3D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF78A mov eax, dword ptr fs:[00000030h]	2_2_03CEF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB97A9 mov eax, dword ptr fs:[00000030h]	2_2_03CB97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]	2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]	2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]	2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]	2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]	2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D037B6 mov eax, dword ptr fs:[00000030h]	2_2_03D037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]	2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5D7B0 mov eax, dword ptr fs:[00000030h]	2_2_03C5D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]	2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h]	2_2_03C43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h]	2_2_03C43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h]	2_2_03C43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]	2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D03749 mov eax, dword ptr fs:[00000030h]	2_2_03D03749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]	2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]	2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]	2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]	2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]	2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]	2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C37703 mov eax, dword ptr fs:[00000030h]	2_2_03C37703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C35702 mov eax, dword ptr fs:[00000030h]	2_2_03C35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C35702 mov eax, dword ptr fs:[00000030h]	2_2_03C35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]	2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]	2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]	2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6F71F mov eax, dword ptr fs:[00000030h]	2_2_03C6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6F71F mov eax, dword ptr fs:[00000030h]	2_2_03C6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF72E mov eax, dword ptr fs:[00000030h]	2_2_03CEF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C33720 mov eax, dword ptr fs:[00000030h]	2_2_03C33720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h]	2_2_03C4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h]	2_2_03C4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h]	2_2_03C4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF972B mov eax, dword ptr fs:[00000030h]	2_2_03CF972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]	2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]	2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]	2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]	2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29730 mov eax, dword ptr fs:[00000030h]	2_2_03C29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C29730 mov eax, dword ptr fs:[00000030h]	2_2_03C29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C65734 mov eax, dword ptr fs:[00000030h]	2_2_03C65734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3973A mov eax, dword ptr fs:[00000030h]	2_2_03C3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3973A mov eax, dword ptr fs:[00000030h]	2_2_03C3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]	2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF6C7 mov eax, dword ptr fs:[00000030h]	2_2_03CEF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C616CF mov eax, dword ptr fs:[00000030h]	2_2_03C616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]	2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]	2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]	2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]	2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]	2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]	2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5D6E0 mov eax, dword ptr fs:[00000030h]	2_2_03C5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5D6E0 mov eax, dword ptr fs:[00000030h]	2_2_03C5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C636EF mov eax, dword ptr fs:[00000030h]	2_2_03C636EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CED6F0 mov eax, dword ptr fs:[00000030h]	2_2_03CED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]	2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]	2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]	2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]	2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D6AA mov eax, dword ptr fs:[00000030h]	2_2_03C2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D6AA mov eax, dword ptr fs:[00000030h]	2_2_03C2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h]	2_2_03C276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h]	2_2_03C276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h]	2_2_03C276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]	2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]	2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C69660 mov eax, dword ptr fs:[00000030h]	2_2_03C69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C69660 mov eax, dword ptr fs:[00000030h]	2_2_03C69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]	2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C61607 mov eax, dword ptr fs:[00000030h]	2_2_03C61607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]	2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6F603 mov eax, dword ptr fs:[00000030h]	2_2_03C6F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C33616 mov eax, dword ptr fs:[00000030h]	2_2_03C33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C33616 mov eax, dword ptr fs:[00000030h]	2_2_03C33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]	2_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]	2_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F626 mov eax, dword ptr fs:[00000030h]	2_2_03C2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F626 mov eax, dword ptr fs:[00000030h]	2_2_03C2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F626 mov eax, dword ptr fs:[00000030h]	2_2_03C2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F626 mov eax, dword ptr fs:[00000030h]	2_2_03C2F626

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 315C008

Jump to behavior

Source: C:\Users\user\Desktop\Commercial Invoice Packing list.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Commercial Invoice Packing list.exe"

Jump to behavior

Source: Commercial Invoice Packing list.exe

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	12 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	212 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Commercial Invoice Packing list.exe	34%	ReversingLabs	Win32.Trojan.Autoitinject
Commercial Invoice Packing list.exe	29%	Virustotal		Browse
Commercial Invoice Packing list.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522687
Start date and time:	2024-09-30 15:30:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Commercial Invoice Packing list.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 9 Number of non-executed functions: 318
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, time.windows.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:31:24	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\Commercial Invoice Packing list.exe
File Type:	data
Category:	modified
Size (bytes):	287232
Entropy (8bit):	7.993126786483225
Encrypted:	true
SSDEEP:	6144:1OQqwPOQR6hMbsXyMoUIk0e/2UWl9K4aCexpa:1OQqwmQRdfMdjP/WlTBefa
MD5:	04F53C872BB310E394DC56812C7EAC9A
SHA1:	1CFE833C1FDDE302D5E2C7F92AE94E11079AD5E9
SHA-256:	FEF2CDBC0A65C2C6AA45EEF94E5AD356E078A1139EAF4E11980384F3AC1396B1
SHA-512:	3F680BB373874B803CAA68F6CB7E63C9C56DFD1036FD5410A33A63646DC1E57AC583745CA4A5DEBBD0F3DC20E272331514BE3947E546A14402E1D138F87282A7
Malicious:	false
Reputation:	low
Preview:	...g.8GKC...J...h.GU...{;O...A4C1BKMTMGVCX5S8GKCCA4C1BKMTMG.CX5]'.EC.H.b.C..u./?0xE!W 9".aW"_,$9t/"v1-[sQ)k.....^&.cY@MrCX5S8GK:BH.~Q%.p4.k#?.I..y#&.Y..q4.L...oX ..*"\~Q%.MTMGVCX5.}GK.B@4....MTMGVCX5.8EJHBJ4CaFKMTMGVCX5.-GKCSA4CQFKMT.GVSX5S:GKECA4C1BKKTMGVCX5SXCKCAA4C1BKOT..VCH5S(GKCCQ4C!BKMTMGFCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4mE'39TMG..\5S(GKC.E4C!BKMTMGVCX5S8GKcCATC1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMGVCX5S8GKCCA4C1BKMTMG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.550788166573069
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Commercial Invoice Packing list.exe
File size:	1'400'397 bytes
MD5:	584c4505475c015b4a7b0b73b60a6e73
SHA1:	b8abcb6fbba8aec4c83cf245fc03b522cd27d864
SHA256:	bc50c75d095285bf6687dfc4e5a94d83b43514328d199f95ec1c593598ebc206
SHA512:	9383df074f94cf77bd44a1ec9980ee5cbab99276626d6800195e806736947d8a52e7355b4794f8ae921c2a2229b70c17e59ee3fc2f2fcd347d9c497a39e7e2b9
SSDEEP:	24576:ffmMv6Ckr7Mny5QLzSP/EnSCiVOnkR7bWdgf3f:f3v+7/5QLe/Efy1R7KKv
TLSH:	DC55F112F7D680B2DDA339712A7BE32AEB3475194323C58BA7E01F768E111119B3B761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F7B38800A9Ch
jmp 00007F7B387F486Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7B387F49FAh
cmp edi, eax
jc 00007F7B387F4B9Ah
cmp ecx, 00000100h
jc 00007F7B387F4A11h
cmp dword ptr [004A94E0h], 00000000h
je 00007F7B387F4A08h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F7B387F49FAh
pop esi
pop edi
pop ebp
jmp 00007F7B387F4E5Ah
test edi, 00000003h
jne 00007F7B387F4A07h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F7B387F4A1Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F7B387F49FEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F7B387F49BEh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Target ID:	0
Start time:	09:31:17
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\Commercial Invoice Packing list.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Commercial Invoice Packing list.exe"
Imagebase:	0x400000
File size:	1'400'397 bytes
MD5 hash:	584C4505475C015B4A7B0B73B60A6E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:31:23
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Commercial Invoice Packing list.exe"
Imagebase:	0x160000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1438605926.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	6.3%
Signature Coverage:	10.5%
Total number of Nodes:	95
Total number of Limit Nodes:	9

Executed Functions

Function 004175E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417655

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e7dc6d0ee477ae157b340f19dc69921457d9f0c8687afbf7a2d1384491327b0c
Instruction ID: eb69db9bf8efaa2986cfdf4e607c5fc29a595e1f23a385f08c3c14a7654462b5
Opcode Fuzzy Hash: e7dc6d0ee477ae157b340f19dc69921457d9f0c8687afbf7a2d1384491327b0c
Instruction Fuzzy Hash: 7C015EB5E0020DABDB10DBE5DC52FDEB778AB54308F4041AAE90897240F635EB488BA5

Function 0042C473 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,0041619F,001F0001,?,00000000,?,?,00000104), ref: 0042C4AA

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ebf29b646508c508d37512dd22707bb04d2719e0d3e88c71623cf21526a7a6a3
Instruction ID: 8b6fd2d197a79738d68bafe02d71fa64aeff148017ff762ec0e8b83a03f38cc0
Opcode Fuzzy Hash: ebf29b646508c508d37512dd22707bb04d2719e0d3e88c71623cf21526a7a6a3
Instruction Fuzzy Hash: 4DE04F752142147BD620BA6ADC01F9B775CDFC9714F40442AFA0CA7242C6717A118AF4

Function 03C735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03C735CA

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bca34654696f2cbbf3747880e1d8e7bff62dc23291a9053aa2bdc52fdc656fb
Instruction ID: f1b3a564e57d8db6d791bfe30329b27628126f33dd2ff5f3408a1d0e42f20d15
Opcode Fuzzy Hash: 5bca34654696f2cbbf3747880e1d8e7bff62dc23291a9053aa2bdc52fdc656fb
Instruction Fuzzy Hash: 7D90027160560802D101B2584554786100687D0705FA6C411A042C5ACD87958B5165A2

Function 03C72B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03C72B6A

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 177a777725175a310be796602bea5ce4e703806b62e828f0dd9dbdf77bb4c699
Instruction ID: a7d954574f12c2a64cadd64d7e6835217944f3637fb12dd8db4a44f45c985589
Opcode Fuzzy Hash: 177a777725175a310be796602bea5ce4e703806b62e828f0dd9dbdf77bb4c699
Instruction Fuzzy Hash: B09002A1202504034106B2584454696400B87E0705B96C021E101C5D4DC6258A916125

Function 03C72DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03C72DFA

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8962f70cba8c53e356e32ee86b3fe82e696817c8a9c7b6f7a4d94c0892e40e6
Instruction ID: 4f6675d3e3273099332e0c4ed8d15174d0278e718619d66f0ff73dc14f53d2cb
Opcode Fuzzy Hash: a8962f70cba8c53e356e32ee86b3fe82e696817c8a9c7b6f7a4d94c0892e40e6
Instruction Fuzzy Hash: 4590027120150813D112B2584544787000A87D0745FD6C412A042C59CD97568B52A121

Function 0042C7C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C7FF

Strings

'cA, xrefs: 0042C7C6

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 'cA
API String ID: 3298025750-2370355221
Opcode ID: acfefdb3a80356bd212f12599f516ba1239d1a9b6fdfdac714d478c0783a85cf
Instruction ID: 555028ebcc251f7093260877fd94d5e3d617086eeaae4aa5e860ebc1e4e76462
Opcode Fuzzy Hash: acfefdb3a80356bd212f12599f516ba1239d1a9b6fdfdac714d478c0783a85cf
Instruction Fuzzy Hash: 8CE092B1304604BBD610EE69DC41F9B33ACEFC9714F00401DFA18A7281D670B9108BB5

Function 0042C773 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E41E,?,?,00000000,?,0041E41E,?,?,?), ref: 0042C7AF

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f4b77f2273dec16019d8b920b36054b3065a8ee74ed619d9597814caa3e3fcfc
Instruction ID: 89f1ee057969176d8101756f1d7f41c693a876ba1827579d7fa95cacfa7a8a70
Opcode Fuzzy Hash: f4b77f2273dec16019d8b920b36054b3065a8ee74ed619d9597814caa3e3fcfc
Instruction Fuzzy Hash: FAE039B17042047BD614EE69DC41E9B33ACEFC9714F004019B908A7241D670BA108AB4

Function 0042C813 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C84A

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 37220d6bb7d26430c9c2d261d1f34f052576513aa5a3cfc15d8dcd44f9992afe
Instruction ID: e18374c5559ab9fc5c5b6c15d37306319b5ce2a2461c20285597c081504b34a8
Opcode Fuzzy Hash: 37220d6bb7d26430c9c2d261d1f34f052576513aa5a3cfc15d8dcd44f9992afe
Instruction Fuzzy Hash: D8E04F716006147BD120FA6ADC01F9B775CDFC5714F00442AFA08A7241CA71791186F4

Function 03C72C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03C72C24

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a16fcdf74d2bc20d479bfc1b40779c81524d566da9a16b9921cb4237f4bbbc4d
Instruction ID: 84faa90233bd227a4f600780950a8624567ebc6a859d33608038aac95c8ba62c
Opcode Fuzzy Hash: a16fcdf74d2bc20d479bfc1b40779c81524d566da9a16b9921cb4237f4bbbc4d
Instruction Fuzzy Hash: 73B09BB19015C5C5EA11F7604608757790567D0745F5AC461D303C685E4739C2D1E175

Non-executed Functions

Function 03CB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ShutdownFlags, xrefs: 03CB24A1
GlobalFlag, xrefs: 03CB2F3F, 03CB3059
Initializing the application verifier package failed with status 0x%08lx, xrefs: 03CB3176
DisableExceptionChainValidation, xrefs: 03CB275F
FrontEndHeapDebugOptions, xrefs: 03CB2489
RaiseExceptionOnPossibleDeadlock, xrefs: 03CB2579
UnloadEventTraceDepth, xrefs: 03CB24C0
DisableHeapLookaside, xrefs: 03CB246D
CFGOptions, xrefs: 03CB2967
UseImpersonatedDeviceMap, xrefs: 03CB251C
LdrpInitializeExecutionOptions, xrefs: 03CB317D
TracingFlags, xrefs: 03CB2549
@, xrefs: 03CB2B74
minkernel\ntdll\ldrinit.c, xrefs: 03CB3187
@, xrefs: 03CB2942
MinimumStackCommitInBytes, xrefs: 03CB2BB0
ExecuteOptions, xrefs: 03CB25A0
GlobalFlag2, xrefs: 03CB2FC0
MaxDeadActivationContexts, xrefs: 03CB2D82
MaxLoaderThreads, xrefs: 03CB24EC

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 288e1e2061f0e560c1dd85e3aa0938031b745a8c7eb562ba4d2397e9e79fb1f0
Instruction ID: aeea6575664b303b0d03bbeb9d9d32d519b3d40015c05f24726aacc197937762
Opcode Fuzzy Hash: 288e1e2061f0e560c1dd85e3aa0938031b745a8c7eb562ba4d2397e9e79fb1f0
Instruction Fuzzy Hash: E0928A75608381AFD720DE25C884BABB7F8BB88754F084D2DFA95DB250D770E944CB92

Function 03C268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON

Download Yara Rule

Strings

SE_LdrResolveDllName, xrefs: 03C26A2C
SE_DllLoaded, xrefs: 03C26978
SE_GetProcAddressForCaller, xrefs: 03C26A59
SE_InstallAfterInit, xrefs: 03C2694B
LdrpGetShimEngineInterface, xrefs: 03C89BB9
SE_LdrEntryRemoved, xrefs: 03C269D2
ApphelpCheckModule, xrefs: 03C26A86
minkernel\ntdll\ldrinit.c, xrefs: 03C89BC3
apphelp.dll, xrefs: 03C2698A
SE_ProcessDying, xrefs: 03C269FF
SE_InitializeEngine, xrefs: 03C268C5
SE_ShimDllLoaded, xrefs: 03C268F1
Could not locate procedure "%s" in the shim engine DLL, xrefs: 03C89BB3
SE_DllUnloaded, xrefs: 03C269A5
SE_InstallBeforeInit, xrefs: 03C2691E

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-3089669407
Opcode ID: f0b0b3b2124a67d30191e30d4c985eb85e128119bee2b4c3c945b5e594545fbc
Instruction ID: d588cd32f61ebcebc7f05e536a58118ac9464702c7f9479a09029d78cee04501
Opcode Fuzzy Hash: f0b0b3b2124a67d30191e30d4c985eb85e128119bee2b4c3c945b5e594545fbc
Instruction Fuzzy Hash: 878102B7D012186F8B61FBA9EDD4EEEB7BDAB15610B054421B910FB114E730EE149BA0

Function 03C60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

%%%u!%s!, xrefs: 03CA14A1
h, xrefs: 03C60FB0
9, xrefs: 03C60F9C
%%%u, xrefs: 03CA14CC
!, xrefs: 03C60FA6
%, xrefs: 03C60F7E
0, xrefs: 03C60F92
, xrefs: 03C60FEC
w, xrefs: 03C60FBA
l, xrefs: 03C60FC4

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: 64b5ff52d93c276132cabac26c0ae2b4e33db46889f9b67e54d234a6c3c567d8
Instruction ID: f0a406c1a77317f2a9fa110da154a49533f6ec074b94398c4abf49b7417cf60d
Opcode Fuzzy Hash: 64b5ff52d93c276132cabac26c0ae2b4e33db46889f9b67e54d234a6c3c567d8
Instruction Fuzzy Hash: 40629EB5E0062A8FDB24CF19C8817A9B7B6EF95324F5D82DAD449EB240D7325AD1CF40

Function 03CE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 03CE186B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 03CE176D
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 03CE18A5
Heap block at %p has incorrect segment offset (%x), xrefs: 03CE181A
Free Heap block %p modified at %p after it was freed, xrefs: 03CE171B
HEAP[%wZ]: , xrefs: 03CE16CD, 03CE16F9, 03CE1749, 03CE179B, 03CE17FC, 03CE1840, 03CE18D9
HEAP: , xrefs: 03CE1706, 03CE1756, 03CE17A8, 03CE1809, 03CE184D, 03CE1895, 03CE18E6
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 03CE18F8
Heap block at %p is not last block in segment (%p), xrefs: 03CE17B7

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 559c681ff0a6db9ad874a2e583ca350f765f3cf5d0e85e41477cb1bd899656f3
Instruction ID: 9d7dce24789fb40ff977518bff5a74f094d714bea92837fdc4a33fbe62415a4c
Opcode Fuzzy Hash: 559c681ff0a6db9ad874a2e583ca350f765f3cf5d0e85e41477cb1bd899656f3
Instruction Fuzzy Hash: 1712C9756046829FC725DF29C440BBABBF5EF09704F0D8459E496CF682D738E9A0DB50

Function 03C4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

DLL search path passed in externally: %ws, xrefs: 03C980A6
minkernel\ntdll\ldrutil.c, xrefs: 03C980B7
LdrpInitializeDllPath, xrefs: 03C980AD
LdrGetDllHandleEx, xrefs: 03C9807C, 03C983B2
LdrpFindLoadedDllInternal, xrefs: 03C982D7
DLL name: %wZ, xrefs: 03C98075
minkernel\ntdll\ldrfind.c, xrefs: 03C982E1
minkernel\ntdll\ldrapi.c, xrefs: 03C98086, 03C983BC
Status: 0x%08lx, xrefs: 03C982D0, 03C983AB

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 91b51e84e04cbc1c1f3161e6bbccb384ea242484c0d4018e4965aea5ab0109e8
Instruction ID: 0b0734e5c73153479c2bd55b09ad55b38121e054f148dc18df8cd6ed864b99f0
Opcode Fuzzy Hash: 91b51e84e04cbc1c1f3161e6bbccb384ea242484c0d4018e4965aea5ab0109e8
Instruction Fuzzy Hash: F512D0B5A083418FE724DF28C844BAAB7E4FF95704F09095AF985CF291E774DA44CB92

Function 03C2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

MachinePreferredUILanguages, xrefs: 03C2D685
PreferredUILanguagesPending, xrefs: 03C8A8DE
@, xrefs: 03C2D49D
PreferredUILanguages, xrefs: 03C2D4B8, 03C2D4C5
@, xrefs: 03C2D663
Control Panel\Desktop, xrefs: 03C2D45D
@, xrefs: 03C2D3E9
Control Panel\Desktop\MuiCached, xrefs: 03C2D62B
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03C2D3B6

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 474648e7b9e6e471f576550b34da2389b892e15d7c7e8e36fc944c59ba8f6a52
Instruction ID: 0f740e15b3622867d23963a33acda5f9c426cec1905d1b5820c944a0b7c0678c
Opcode Fuzzy Hash: 474648e7b9e6e471f576550b34da2389b892e15d7c7e8e36fc944c59ba8f6a52
Instruction Fuzzy Hash: 1DB1BFB65083619FC711EF24C484B6BBBE8AF98744F054D2EF89ADB240D770DA44CB92

Function 03CE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 03CE1192
Non-Dedicated free list element %p is out of order, xrefs: 03CE0E6D
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 03CE0FE4
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 03CE106F
HEAP[%wZ]: , xrefs: 03CE0E54, 03CE0EB5, 03CE0FC8, 03CE1051, 03CE1117, 03CE116B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 03CE113D
HEAP: , xrefs: 03CE0E61, 03CE0EC2, 03CE0FD5, 03CE105E, 03CE1124, 03CE1178
dedicated (%04Ix) free list element %p is marked busy, xrefs: 03CE0ED1

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: a87246f26af38fe3f0541ec659cae006ac0a4ae8bdea3abd8373c415b5d9af29
Instruction ID: 3b88b63462c6dc64b6b04823535882c25e339b61c75c4c5f2c59a91c93b5650f
Opcode Fuzzy Hash: a87246f26af38fe3f0541ec659cae006ac0a4ae8bdea3abd8373c415b5d9af29
Instruction Fuzzy Hash: DBF11575A047A5EFCB25DF6AC441BAAFBF5FF09700F088069E481DB242C774AA45DB90

Function 03CC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

BaseNamedObjects, xrefs: 03CC9477, 03CC947C
Global\Session\%ld%s, xrefs: 03CC94C5
AppContainerNamedObjects, xrefs: 03CC946E, 03CC94D6
\AppContainerNamedObjects, xrefs: 03CC94AB, 03CC94B9
\BaseNamedObjects, xrefs: 03CC949E
%s\%ld\%s, xrefs: 03CC948D
%s\%u-%u-%u-%u, xrefs: 03CC9422
\Sessions, xrefs: 03CC9488

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: d1419ac550a98ae106eb328be6077173285bf57649ba18f2e218414a7689ba6c
Instruction ID: 7aeef9516231f1dd5a75fb4b70d58783c071b4a3d51c8eb3b11ffe59b4fa0bda
Opcode Fuzzy Hash: d1419ac550a98ae106eb328be6077173285bf57649ba18f2e218414a7689ba6c
Instruction Fuzzy Hash: 8DD104B2814391AFD721DB64C844BAFF7F8AF84714F094A2DFA84DB250D770CA449B92

Function 03CE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 03CE03BA
RtlReAllocateHeap, xrefs: 03CE02BF, 03CE0362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 03CE06EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 03CE069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 03CE04D3
HEAP[%wZ]: , xrefs: 03CE0399, 03CE04A8, 03CE05D0, 03CE0675, 03CE06CC
HEAP: , xrefs: 03CE03A6, 03CE04B5, 03CE05DD, 03CE0682, 03CE06D9
Just reallocated block at %p to %Ix bytes, xrefs: 03CE05F1

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 8d95b49c85618eb2b177c53d5fc1d0be8710e1ed0688fddcce46fed617a1230c
Instruction ID: 999f04eca14c49a2ca8f355fc30e75c9ec0dcfe12cbacca1a292ff7799485455
Opcode Fuzzy Hash: 8d95b49c85618eb2b177c53d5fc1d0be8710e1ed0688fddcce46fed617a1230c
Instruction Fuzzy Hash: A9D1EB365006A0DFCB22EF6AC440AADFBF1FF4A700F098059E855DF252C7B4AA41DB94

Function 03C2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 03C2D2AF
@, xrefs: 03C2D0FD
@, xrefs: 03C2D313
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03C2D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 03C2D196
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03C2D2C3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03C2D146
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03C2D0CF

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 9ca911d4ea253e6f3aed2be80c9bd74411197d7eb9f3fe707d973bd324702db4
Instruction ID: af4fcbf12c9de4b1e460a68bd190f137aa02439ed57a2f21bc7c4e55b5142e14
Opcode Fuzzy Hash: 9ca911d4ea253e6f3aed2be80c9bd74411197d7eb9f3fe707d973bd324702db4
Instruction Fuzzy Hash: FDA19B759083559FD320DF25C488B6BBBE8BB84729F014D2EE999DA240D774DA08CF93

Function 03C49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON

Download Yara Rule

Strings

@, xrefs: 03C49EE7
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 03C976EE
minkernel\ntdll\sxsisol.cpp, xrefs: 03C97713, 03C978A4
Status != STATUS_NOT_FOUND, xrefs: 03C9789A
sxsisol_SearchActCtxForDllName, xrefs: 03C976DD
Internal error check failed, xrefs: 03C97718, 03C978A9
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03C97709

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-761764676
Opcode ID: 236b67388ede598e36d5e00720f3e6cdc601777bae60ffd2bd422c5ac824b44d
Instruction ID: 823743992231dbd21af98f464be9fd376f43b41db0ce1a37e42650ee53cc8960
Opcode Fuzzy Hash: 236b67388ede598e36d5e00720f3e6cdc601777bae60ffd2bd422c5ac824b44d
Instruction Fuzzy Hash: B3128F75910225DFEF24CF98C885ABEB7B4FF48710F1980AAE849EF241E7349951CB64

Function 03C3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 03C3EB4E
R, xrefs: 03C3EB62
{, xrefs: 03C94643
, xrefs: 03C3F299
LdrpResSearchResourceInsideDirectory Exit, xrefs: 03C3EB6C
LdrpResSearchResourceInsideDirectory Enter, xrefs: 03C3EB58

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 5668b9cd5a9855ae0e7f1aa326e5913060e24b0953e713bc0d29ff0501a1823f
Instruction ID: 009d70cc86bfa44d507a5995e7177088723fde75edcb6e6d8237ee9bcbe0c550
Opcode Fuzzy Hash: 5668b9cd5a9855ae0e7f1aa326e5913060e24b0953e713bc0d29ff0501a1823f
Instruction Fuzzy Hash: 5CA22875E05629CBDF68DF2ACC887A9B7B5AF45304F1542EAD809EB250DB359E81CF00

Function 03C2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 03C8E3A9
((LONG)FreeEntry->Size > 1), xrefs: 03C8E0B3
(LONG)FreeEntry->Size > 1, xrefs: 03C8E291
(UCRBlock != NULL), xrefs: 03C8DF6F
HEAP[%wZ]: , xrefs: 03C8DF57, 03C8E09B, 03C8E279, 03C8E391
HEAP: , xrefs: 03C8DF64, 03C8E0A8, 03C8E286, 03C8E39E

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 6ccc2362abff2f898f35647126503846a5754878abdb9a2aebe473ff1938aedf
Instruction ID: 5601b05e4e032a7c7b429a112b8deb5f94814d330cf8135b89f3dd2bb7448a73
Opcode Fuzzy Hash: 6ccc2362abff2f898f35647126503846a5754878abdb9a2aebe473ff1938aedf
Instruction Fuzzy Hash: 8742ED752083959FC715EF29C884A2AFBF5FF85608F08496DE486CB392D730EA41CB52

Function 03C3ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON

Download Yara Rule

Strings

LdrpResSearchResourceMappedFile Enter, xrefs: 03C3AEB8
MUI, xrefs: 03C3B410
#, xrefs: 03C9363D
J, xrefs: 03C3AEAE
H, xrefs: 03C3AEC2
LdrpResSearchResourceMappedFile Exit, xrefs: 03C3AECC

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-4098886588
Opcode ID: 609b6179558d2b36bdaf2e4148e8a5a805fee5a9b0b587ea1ef9254c8254a378
Instruction ID: 094cb5c574beef4f3a305ff16bf7ca5abd68ed244ffe17e2058769545b11d1b8
Opcode Fuzzy Hash: 609b6179558d2b36bdaf2e4148e8a5a805fee5a9b0b587ea1ef9254c8254a378
Instruction Fuzzy Hash: EC3281759042A98BEF21CB15CC98BEEB7B9AF46340F1541EAE849EB250D7719F818F40

Function 03C4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 03C9840D, 03C984E1
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 03C984D0
DLL %wZ was redirected to %wZ by %s, xrefs: 03C983FC
SxS, xrefs: 03C983ED
LdrpPreprocessDllName, xrefs: 03C98403, 03C984D7
API set, xrefs: 03C983F4, 03C983F9

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 2460bb24d65d45e29e422bc6442d141af3bc35aa1adca9010bdba2c8b564ae5e
Instruction ID: 28b675d987838117330043e859db52ecf93edab2ec4362c1d63bf91e131efdcf
Opcode Fuzzy Hash: 2460bb24d65d45e29e422bc6442d141af3bc35aa1adca9010bdba2c8b564ae5e
Instruction Fuzzy Hash: 88C14A31A00315ABDF24DF69C894BBEF7A5AF46300F194069E886DF291EBB4DD44D3A1

Function 03C663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 03CA4258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 03CA41FE
Process initialization failed with status 0x%08lx, xrefs: 03CA413A
minkernel\ntdll\ldrinit.c, xrefs: 03CA40E9, 03CA414B, 03CA420F, 03CA4269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 03CA40D8
_LdrpInitialize, xrefs: 03CA40DF, 03CA4141, 03CA4205, 03CA425F

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 219dccb58071c3c288220effa9c38945ba844c7743c43491f92de38d42ebd443
Instruction ID: 401a976d6696826e40c6c12aaabc568797d04490f6c7b7937c1e4415a19dc6ef
Opcode Fuzzy Hash: 219dccb58071c3c288220effa9c38945ba844c7743c43491f92de38d42ebd443
Instruction Fuzzy Hash: 3B916A35A00B159BDB38EF2AD884BBEB7A1FB51728F050128E911EF781D7B49911D790

Function 03C6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 03C6C6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 03CA81E5
LdrpInitializeProcess, xrefs: 03C6C6C4
LdrpInitializeImportRedirection, xrefs: 03CA8177, 03CA81EB
Loading import redirection DLL: '%wZ', xrefs: 03CA8170
minkernel\ntdll\ldrredirect.c, xrefs: 03CA8181, 03CA81F5

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: d2ed629003ea68dd92e6fd7bf4bf9bce37fafc9a015559c217567559d64e1bcd
Instruction ID: 27c9893bb2149173afc46c104941952e22cdb6c17c1ec651e4f26d593d9eebeb
Opcode Fuzzy Hash: d2ed629003ea68dd92e6fd7bf4bf9bce37fafc9a015559c217567559d64e1bcd
Instruction Fuzzy Hash: 5D310476744741AFC224EF28D946E2AB7E4EF94B14F050968F881EF291D620ED04D7A2

Function 03C62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 03CA2160, 03CA219A, 03CA21BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03CA2178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 03CA21BF
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03CA2180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 03CA219F
SXS: %s() passed the empty activation context, xrefs: 03CA2165

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: c0779794cc62ccabb1866f96a7bd450aa9be9d5577c0630d80ebaaf72d91e9f3
Instruction ID: 6916c881a41f950019498c1d2f77126f589f02c97e221302d42998ffb5c3d423
Opcode Fuzzy Hash: c0779794cc62ccabb1866f96a7bd450aa9be9d5577c0630d80ebaaf72d91e9f3
Instruction Fuzzy Hash: 45310336F40225BBE721CA99CC81F9EB678DB95A44F094469FB04FB241D671EE00E7A1

Function 03CB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

L, xrefs: 03CBA2FB
@, xrefs: 03CB9E80
\KnownDlls32, xrefs: 03CB9C67
AVRF: Verifier .dlls must not have thread locals, xrefs: 03CBA12D
KnownDllPath, xrefs: 03CB9CF9

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
API String ID: 0-3127649145
Opcode ID: 48f0f7570b0a2d675e4aa783f8957edad6634bb30ea70b3b3152bbdb2374d481
Instruction ID: d04c803764ca9c4e19fd584aa7adc3d075106e168be8da59459c491f1b4b360c
Opcode Fuzzy Hash: 48f0f7570b0a2d675e4aa783f8957edad6634bb30ea70b3b3152bbdb2374d481
Instruction Fuzzy Hash: 10323479A017199BDB61DF25CC88BDAB7F8FF48300F1041AAE549EB250DB71AA84CF50

Function 03C49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 03C976A3
minkernel\ntdll\sxsisol.cpp, xrefs: 03C976AD
, xrefs: 03C499F1
Internal error check failed, xrefs: 03C976B2
, xrefs: 03C499F9

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: daffcc6d8008f06c9992b37dbbd4742425974b97aef22cd9124325e6d6057de9
Instruction ID: b99420e510eed0d296bd3e94ff0059653329631643a302545806f0db522b9825
Opcode Fuzzy Hash: daffcc6d8008f06c9992b37dbbd4742425974b97aef22cd9124325e6d6057de9
Instruction Fuzzy Hash: 120257719093618FD720CF65C084BABFBE4BF89714F49896EE889CB250E770D944CB92

Function 03C551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 03C5522A
Kernel-MUI-Number-Allowed, xrefs: 03C55247
Kernel-MUI-Language-Disallowed, xrefs: 03C55352
Kernel-MUI-Language-Allowed, xrefs: 03C5527B
Kernel-MUI-Language-SKU, xrefs: 03C5542B

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: a90acbecf6198e53da48c34a3fd00dc92574ee55823bc74c3ff9e87cf674c41a
Instruction ID: 80d60eb807c4320fec72bba974ecd46de9b097f89655a218400b89b5f48f5f08
Opcode Fuzzy Hash: a90acbecf6198e53da48c34a3fd00dc92574ee55823bc74c3ff9e87cf674c41a
Instruction Fuzzy Hash: 84F16C76D10218EFCF11DF99C980AEEBBB9FF49650F16406AE902EB250D7709E40DB94

Function 03CB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

\, xrefs: 03CB4F66
.DLL, xrefs: 03CB50C7, 03CB519C
\microsoft.system.package.metadata\Application, xrefs: 03CB5158
/, xrefs: 03CB4F6D
.Local, xrefs: 03CB5170

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 79eb54cde1f430ea1c6f88a9ff4b3f8a5686d8bccd93161293fb002f78a7517e
Instruction ID: cf5ee2fa00da5129fba6b056df96c66990dcde411a878010f2ec42be4a2efa03
Opcode Fuzzy Hash: 79eb54cde1f430ea1c6f88a9ff4b3f8a5686d8bccd93161293fb002f78a7517e
Instruction Fuzzy Hash: 0B91BE76D006199BCB25CFA9C881AFEB7B5FF4A310F594169E811EB350D735DA01CB90

Function 03C5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

Process 0x%p (%wZ) exiting, xrefs: 03C9F2C7
$, xrefs: 03C5D900
$, xrefs: 03C5D86D
LdrShutdownProcess, xrefs: 03C9F2CE
minkernel\ntdll\ldrinit.c, xrefs: 03C9F2D8

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: de3940593aff8be51b9828352101068ecda1da8d1ecfee0ff1782e68e331a665
Instruction ID: 4d37704eabfd067065bbddff75f749ae4b4470e54d57ed5fcde24c9d5df644a4
Opcode Fuzzy Hash: de3940593aff8be51b9828352101068ecda1da8d1ecfee0ff1782e68e331a665
Instruction Fuzzy Hash: 57510F36A00345DFDB24EFA4D48879DBBB1BF59304F294059E802EF291C770AA80CBC4

Function 03C276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

RtlFreeHeap, xrefs: 03C8B03F
Invalid heap signature for heap at %p, xrefs: 03C8B02F
HEAP[%wZ]: , xrefs: 03C8B016
HEAP: , xrefs: 03C8B023
, passed to %s, xrefs: 03C8B040

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: bd621102b68cd9e9e7193980f76340ea8da9f70822d7996e4849687e7923254b
Instruction ID: e9a8cb2dd3a9e927e0358f40e721af50ff32aff61212d1e208949f8525ffdb9f
Opcode Fuzzy Hash: bd621102b68cd9e9e7193980f76340ea8da9f70822d7996e4849687e7923254b
Instruction Fuzzy Hash: 810128761097A0DED22AF31AA409F56BBE4DB42B74F194059E010CF692CAA4AD80D560

Function 03C470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03C47C96, 03C48696
HEAP[%wZ]: , xrefs: 03C47C6D, 03C48670
HEAP: , xrefs: 03C47C7C, 03C4867F

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 007d1b1713fb3d472a1f112c5b810a44e4df7210eb4ff6ede76680b73c341911
Instruction ID: 1f03a5d7873bcf6f2235eef059de66839e415d2f67846c08c87144ed7772d47f
Opcode Fuzzy Hash: 007d1b1713fb3d472a1f112c5b810a44e4df7210eb4ff6ede76680b73c341911
Instruction Fuzzy Hash: BA139970A00759CFDB29CF69C8907A9FBB1BF49304F1881A9D859EF381D735AA45CB90

Function 03C41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03C95877
HEAP: , xrefs: 03C95884
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 03C9588F
@, xrefs: 03C95A53

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 72645a36680e143f17e9efca8a6c2449dc5946c60accdcfb861ebe4b5e26aa6e
Instruction ID: a1d0ae9520d3b11266be84396c5945290bf75d2e0d7382c5b70b859d1afc349c
Opcode Fuzzy Hash: 72645a36680e143f17e9efca8a6c2449dc5946c60accdcfb861ebe4b5e26aa6e
Instruction Fuzzy Hash: 0E923875A01268CFEB25CF19C844BA9B7B5BF45314F0A81EAD989EB390D7349E80CF51

Function 03C4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

SsHd, xrefs: 03C4A885
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03C97D56
SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03C97D39
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03C97D03

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: 9a7e9fcf7fb7303b6e46e36fa7cf8e69821fa18bacf7b222178f6ca3e774e802
Instruction ID: d2c9679ee00077479c22a5f2232fa5315c0cb8dca1835d304655d97dcd1ee2f4
Opcode Fuzzy Hash: 9a7e9fcf7fb7303b6e46e36fa7cf8e69821fa18bacf7b222178f6ca3e774e802
Instruction Fuzzy Hash: 25D17C7AA402199BDF24CF99C880AADF7B5FF58310F19406AE845EF351D371EA91CB90

Function 03C43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03C44393, 03C445CB, 03C4486D
HEAP[%wZ]: , xrefs: 03C4436D, 03C445A5, 03C44844
HEAP: , xrefs: 03C4437C, 03C445B4, 03C44853

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: ce9f1960e1f15b6e969be619911d77087d0caf06cb385cde991d04580c41212f
Instruction ID: bc7919b31890d06e8981a1aad1546820ac19039130045e8dfa8f5aa80b9f4ea9
Opcode Fuzzy Hash: ce9f1960e1f15b6e969be619911d77087d0caf06cb385cde991d04580c41212f
Instruction Fuzzy Hash: ADE2A074A006558FDB28CF6AC890BA9FBF1FF49304F288199D849EF385D735A945CB90

Function 03C3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 03C3A3FF
8, xrefs: 03C3A3E7
6, xrefs: 03C3A3F7
LdrResFallbackLangList Enter, xrefs: 03C3A3EF

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: c5853ead38dd7d6f9be0b807a4534c3be05af2726b5684476bcc36cee8ed3f32
Instruction ID: 8a01517463ba27e19304a8470170bb1423d67f8b7f67b32422c087714acd8aad
Opcode Fuzzy Hash: c5853ead38dd7d6f9be0b807a4534c3be05af2726b5684476bcc36cee8ed3f32
Instruction Fuzzy Hash: A5C187791083869FDB11DF19C044B6AB7F4BF8A704F04886AF8D6CB250E735CA59CB92

Function 03C40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 03C954ED
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03C955AE
HEAP[%wZ]: , xrefs: 03C954D1, 03C95592
HEAP: , xrefs: 03C954E0, 03C955A1

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 9f97ba4c01ddaee27a232c49c474d802d278c49840c44b229a6f1000e64a8be0
Instruction ID: 076e8c470aff0b65029a658a9df4aa2a925a25cbc75631ca56e5e76a89266ff1
Opcode Fuzzy Hash: 9f97ba4c01ddaee27a232c49c474d802d278c49840c44b229a6f1000e64a8be0
Instruction Fuzzy Hash: 82A1FE74644265DFDB24DF29C840BBAFBB1BF45300F188569D59ACB282D330A948DB91

Function 03C6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03CA21D9, 03CA22B1
.Local, xrefs: 03C628D8
SXS: %s() passed the empty activation context, xrefs: 03CA21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03CA22B6

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: fdca7f42b31faa6d844bf742c36a1554693964e4387efbb8b78418a8bde02ee3
Instruction ID: b2826c32c868836ce46a7b669e1b236e9d08e5134f462f307af6c926902610be
Opcode Fuzzy Hash: fdca7f42b31faa6d844bf742c36a1554693964e4387efbb8b78418a8bde02ee3
Instruction Fuzzy Hash: CDA1903590022A9FDB24CF65CC84BA9B3B5BF58314F1949E9D948EB251D730AE81CF90

Function 03C2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03C8E563
HEAP[%wZ]: , xrefs: 03C8E3FE
HEAP: , xrefs: 03C8E54E
`, xrefs: 03C8E428

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: e19f653f5be8967c6b5c435ce1777d866bddc06ab430b7b70bc4397821d8b153
Instruction ID: fd342ce0c09ecdf1bb2acd97fd02a8919fecc3bbaa67bc0ff6dd3f769c0aebd0
Opcode Fuzzy Hash: e19f653f5be8967c6b5c435ce1777d866bddc06ab430b7b70bc4397821d8b153
Instruction Fuzzy Hash: D26103762047849FD721EB68C844F6BBBF8EF80714F090468E955CF291D734EA41DB61

Function 03CE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 03CE1261
This is located in the %s field of the heap header., xrefs: 03CE12D6
HEAP[%wZ]: , xrefs: 03CE123D, 03CE12B7
HEAP: , xrefs: 03CE124A, 03CE125D, 03CE125F, 03CE12C4

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: da149042040532db2c4f608fa831f5611827f26974554decd0587d9d43eb0193
Instruction ID: 5f1bbe40d429d0cc9680e065787f1b3402d42bdfec66d537ad980fdef6b338d1
Opcode Fuzzy Hash: da149042040532db2c4f608fa831f5611827f26974554decd0587d9d43eb0193
Instruction Fuzzy Hash: F031DA76200260EFC751EB99CC86F6AB7E8EF09724F1D0055E411CF291E670FD50DA65

Function 03C29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 03C8BABA
VirtualQuery Failed 0x%p %x, xrefs: 03C8BAF7
HEAP[%wZ]: , xrefs: 03C8BAA0, 03C8BADD
HEAP: , xrefs: 03C8BAAD, 03C8BAEA

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: e5eafaf359f0ef30b90fca86fed854e3492ec99a49106e14773ab6919dce4c8e
Instruction ID: 2b16a97c4704c4ec8cd1ff08bf83539b0091b0c20610ef4143cc539dffe71925
Opcode Fuzzy Hash: e5eafaf359f0ef30b90fca86fed854e3492ec99a49106e14773ab6919dce4c8e
Instruction Fuzzy Hash: A531C676600214EFCB11EB46CC85FDEBBB8EF45B24F154061E814EB291D770EE40DA60

Function 03C429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 03C4327D
HEAP[%wZ]: , xrefs: 03C43255
HEAP: , xrefs: 03C43264

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 595365267faf5cf0bb4d914e068731d0807d0940b6241abadeed036220044dbc
Instruction ID: ce0f1ab0c6a743a4b228ae14fa2d8f55a5782e90b59ec8fce17d7081e1ac042b
Opcode Fuzzy Hash: 595365267faf5cf0bb4d914e068731d0807d0940b6241abadeed036220044dbc
Instruction Fuzzy Hash: A692BD75A042899FDB25CF69C4447AEBBF1FF48300F188499E89AEB391D735AA41CF50

Function 03C41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03C4216B, 03C95E68, 03C96016, 03C96160
HEAP[%wZ]: , xrefs: 03C42155, 03C95E46, 03C95FF4, 03C9613E
HEAP: , xrefs: 03C4212E, 03C95E53, 03C96001, 03C9614B

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: ec4b44d07af2cec73a7b097b9b71eb63ee3394c99a05417f393ca8f009a5e3ba
Instruction ID: 38ce2c485ea0a510c28118b3f0696cfbf5c255415c51d3909ce1cf0304c43fe1
Opcode Fuzzy Hash: ec4b44d07af2cec73a7b097b9b71eb63ee3394c99a05417f393ca8f009a5e3ba
Instruction Fuzzy Hash: 3C2230706006419FEB16DF29C499B7AFBF5EF02704F1A849AE455CF282D736EA81CB50

Function 03C40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 03C950CA
HEAP[%wZ]: , xrefs: 03C950AE
HEAP: , xrefs: 03C950BD

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 78a47837c847e0e564acb9056c43a6515cdfebdcf83bf62b57fe9de0461deabd
Instruction ID: e100f5f71dd4729802482125215530a71f7aa6944b1c79e0738688a54b3ef17b
Opcode Fuzzy Hash: 78a47837c847e0e564acb9056c43a6515cdfebdcf83bf62b57fe9de0461deabd
Instruction Fuzzy Hash: 77F1A735A40605DFEB25CF69C988B6AF7B5FB45300F1981A9E506DF381D730EA81CB90

Function 03C31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03C31728
HEAP[%wZ]: , xrefs: 03C31712
HEAP: , xrefs: 03C31596

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 679a9b0cbb8e2aa21bc64eac4cc0cb6b5daa010d046b2f16d485536717ac79c1
Instruction ID: 81af117f9f9163f8b94f2f0bc3c279220a7ae9097e3c39daacc4b00415e27fc9
Opcode Fuzzy Hash: 679a9b0cbb8e2aa21bc64eac4cc0cb6b5daa010d046b2f16d485536717ac79c1
Instruction Fuzzy Hash: 13E10F70A046419FDB29EF69C451BBABBF5EF4A304F1C845DE496CB245E734EA40CB50

Function 03C3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 03C3B702
MUI, xrefs: 03C3B6D8, 03C3B7E7
LdrResGetRCConfig Exit, xrefs: 03C3B714

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: d5b35a7b40fb0bcd40e66d642715f178abfab4ffa2a12a26032e6a6574cec4f0
Instruction ID: 67316c3576ad3af2c8fb938c07dc30a641932aea88614c1fb25d343e6ccda35e
Opcode Fuzzy Hash: d5b35a7b40fb0bcd40e66d642715f178abfab4ffa2a12a26032e6a6574cec4f0
Instruction Fuzzy Hash: FAB19C7AA047849BDF25CF69C884BADB7B6EF45314F1A446AE851EB380D730ED40CB54

Function 03CB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

DelegatedNtdll, xrefs: 03CB36CE
@, xrefs: 03CB389F
\SystemRoot\system32\, xrefs: 03CB3842

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: cca0469bccdbac9f1ea6f3de2ce676d37f9af22542eb4f12ab82668b7ddbff29
Instruction ID: 94041acdff6d14fe0c3d5a504aaac7474ecee571b9407ffc202430004e9228ae
Opcode Fuzzy Hash: cca0469bccdbac9f1ea6f3de2ce676d37f9af22542eb4f12ab82668b7ddbff29
Instruction Fuzzy Hash: 7CB1AF7A604381AFD321DE95C884FABB7F8EB54710F150929FA40EB290D775ED44CB92

Function 03C56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 03C56C24
, xrefs: 03C9CA51

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 31f0cab33a2a042c6c694c493e9d4bb25dd8d1c2e0738b59bcfc16bfede09a83
Instruction ID: 9963b2846c285927d2aa408ff868429a502e28cf0ad00327ad05be377d3d1cce
Opcode Fuzzy Hash: 31f0cab33a2a042c6c694c493e9d4bb25dd8d1c2e0738b59bcfc16bfede09a83
Instruction Fuzzy Hash: 6AC280716083419FEB25CF25C884BABB7E5AF88744F09896EFD89CB240D734D984CB56

Function 03C2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 03C8C1E4
FilterFullPath, xrefs: 03C8C2E6
UseFilter, xrefs: 03C2A1C1

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 4fd54bb9ed763a83541d46e30cebaf356249cce895ae621e7e4cb314a123e077
Instruction ID: 437486ede257791e510f956bc82f24a55c1816bbb80050964aeae1dedba7d6db
Opcode Fuzzy Hash: 4fd54bb9ed763a83541d46e30cebaf356249cce895ae621e7e4cb314a123e077
Instruction Fuzzy Hash: B2A16A759012299BDB21EB24CC88BEAF7B8EB44714F0541E9E909EB250DB35AFC5CF50

Function 03CC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 03CC3727
@, xrefs: 03CC3867
LdrpResMapFile Enter, xrefs: 03CC3715

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: b8be4b79cb537342504e471993a9e6bba2f83bfbadff045e693f8a026e59a221
Instruction ID: 788c2d5aeef06ecedecd1d9d23ffc038318d47e1cd5879889e2ec6fe5b14cce8
Opcode Fuzzy Hash: b8be4b79cb537342504e471993a9e6bba2f83bfbadff045e693f8a026e59a221
Instruction Fuzzy Hash: 608198796283C0AFE311DB15D944B6AB7E8FF85750F09892DF980DB390DB38D9048B62

Function 03C6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 03CA5D3F
@, xrefs: 03C69148
&, xrefs: 03CA5CF8

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 504d6c76d6aabbbf342aa9bf2200867030a521dfbed55b829e4ada3a32cec2a5
Instruction ID: 74a7dcb003fdeec920b2ab11c5ad6dd90826de3c09bfbc7d1be4758b298fea5f
Opcode Fuzzy Hash: 504d6c76d6aabbbf342aa9bf2200867030a521dfbed55b829e4ada3a32cec2a5
Instruction Fuzzy Hash: B171B1746087429FC714DF25C5C0A6BFBE9FF89618F24891DE49ACB251C731EA05CB92

Function 03D0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 03D0B82F
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03D0B82A
GlobalizationUserSettings, xrefs: 03D0B834

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: da5b7b499c26efec94aa2abb1684b415963fdfe8c3d64640c042de077b620766
Instruction ID: 5e95eb2bdbfca965b4935152628dfb0b949ebdfd1cdde7e6dd6101aa6cb879cf
Opcode Fuzzy Hash: da5b7b499c26efec94aa2abb1684b415963fdfe8c3d64640c042de077b620766
Instruction Fuzzy Hash: 5F617076D45229ABDB21DF54DC88BDAB7B8EF54B10F0101E6A908EB290C774DE84CF90

Function 03C2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03C8E6C6
HEAP[%wZ]: , xrefs: 03C8E6A6
HEAP: , xrefs: 03C8E6B3

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: c91c2238d789c985d85c509e12a70a97de394e38dba37779c5b77e93e347eec9
Instruction ID: 951c999233127f240e245bc3bd65afc6d00cdc77fe9c00f010a36a6227a3a770
Opcode Fuzzy Hash: c91c2238d789c985d85c509e12a70a97de394e38dba37779c5b77e93e347eec9
Instruction Fuzzy Hash: A751C336604798EFD712EB68C844BAAFBF8EF05704F0900A9E951CF692D774EA50DB50

Function 03CDDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 03CDDC32
HEAP[%wZ]: , xrefs: 03CDDC12
HEAP: , xrefs: 03CDDC1F

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 5f92ae74f08ae22dd5f3f9fbcc60e3fc3c3db8c055dfaab16816bfa767d60954
Instruction ID: ca8eabd843401fdc74dafb188d45ee8cc12f48b773a8a72aafc308990ade9afd
Opcode Fuzzy Hash: 5f92ae74f08ae22dd5f3f9fbcc60e3fc3c3db8c055dfaab16816bfa767d60954
Instruction Fuzzy Hash: A0514435904250AEE374DE2AC88C772B7E1DF45248F09888AF6D3CF285DA75E942DB60

Function 03C6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 03CA82DE
minkernel\ntdll\ldrinit.c, xrefs: 03CA82E8
Failed to reallocate the system dirs string !, xrefs: 03CA82D7

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: c39ae1916284f272e8d67b83b42e3bc39cd1d390205d3df38f6a7e92448940b2
Instruction ID: 78c61bcc662049bfcdbdeb0d9ef0a11cb146565d0ef5fd3c0b6a8e0dd7cee46e
Opcode Fuzzy Hash: c39ae1916284f272e8d67b83b42e3bc39cd1d390205d3df38f6a7e92448940b2
Instruction Fuzzy Hash: B94115B6500310ABC720FB28DC84B5BBBE8FF59750F05492AF988DB250E770E910DB91

Function 03C616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03CA1B39
minkernel\ntdll\ldrtls.c, xrefs: 03CA1B4A
LdrpAllocateTls, xrefs: 03CA1B40

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: fb29c41ec77d586e7c5ece2c834298da98c7f6e3f992240ec0c7fe47a360b6c1
Instruction ID: 7ef97095a0fa9db8470720eaf7932cbb88825973fec6e60cd8ca4d272fc351e0
Opcode Fuzzy Hash: fb29c41ec77d586e7c5ece2c834298da98c7f6e3f992240ec0c7fe47a360b6c1
Instruction Fuzzy Hash: 8541AC79A00609AFCB15DFA9D881BAEFBF5FF59714F098119E405EB300D774A900DB90

Function 03CEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 03CEC1F1
PreferredUILanguages, xrefs: 03CEC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03CEC1C5

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: b7a326c172865d660a2d378da5f5985c667c51a4e5e5ba0af82421c2ea68c6f9
Instruction ID: a0480f67736134208c97ac29797a3d7e9999c823cfa0305824c3019b0f3446a5
Opcode Fuzzy Hash: b7a326c172865d660a2d378da5f5985c667c51a4e5e5ba0af82421c2ea68c6f9
Instruction Fuzzy Hash: D0418D76E0020AEFDB11DAD4C885FEEB7B8AB14700F05806AE905FB290D774AA449B90

Function 03CC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 03CC4160
@, xrefs: 03CC4225
LdrpResValidateFilePath Exit, xrefs: 03CC4172

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: cbbaa152420b5dfcbaac0e7cc0c92ca32a6b2811f0cdaefc77cec4681095eb85
Instruction ID: 6e10281a0cc84889dd7462a7e4249357277955806e16dccee929315d26c2113e
Opcode Fuzzy Hash: cbbaa152420b5dfcbaac0e7cc0c92ca32a6b2811f0cdaefc77cec4681095eb85
Instruction Fuzzy Hash: 694102759203C88BEB2ADBA6C860BADB7B8EF55340F19445ED841EF391D6359A01CB10

Function 03CB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03CB4888
LdrpCheckRedirection, xrefs: 03CB488F
minkernel\ntdll\ldrredirect.c, xrefs: 03CB4899

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: aee55ff02874af0fc01374a5fda4a24b9ba6d014d0833405732720e0de7ae7dc
Instruction ID: a33894e1ba7e9c23f903982c4811032c8dd2345cf374c7cb96160e770f7ac5a4
Opcode Fuzzy Hash: aee55ff02874af0fc01374a5fda4a24b9ba6d014d0833405732720e0de7ae7dc
Instruction Fuzzy Hash: 0141D7336087609FCB29CE6AD440AA6B7F9AF49650F090569EC58EB353D731DD00CB91

Function 03C633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 03C633AC
SXS: %s() passed the empty activation context data, xrefs: 03CA29FE
RtlCreateActivationContext, xrefs: 03CA29F9

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: b222cf6569ccf797637e902cbce818ca3ea0850945c635bb8d61d1622a5989dc
Instruction ID: 03b72a08c182bb5336ff860b89f319b9103e72624536141364251502803ffbfa
Opcode Fuzzy Hash: b222cf6569ccf797637e902cbce818ca3ea0850945c635bb8d61d1622a5989dc
Instruction Fuzzy Hash: 423144362003529FDB22DE58C8C4BAABBA4FB44714F098469EC05DF2A1CB30ED41CB90

Function 03C61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 03CA1A51
LdrpInitializeTls, xrefs: 03CA1A47
DLL "%wZ" has TLS information at %p, xrefs: 03CA1A40

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 232ef4bde9ae74312ec0c00bd7998a828dfcc860c3629a13d79c6743acf75cec
Instruction ID: 8e18d4c532c18ac72847b7e34dc17a33451b7b2d9ac12bd43db9092cc4f8bb9a
Opcode Fuzzy Hash: 232ef4bde9ae74312ec0c00bd7998a828dfcc860c3629a13d79c6743acf75cec
Instruction Fuzzy Hash: 75310776A00200ABD720DB59D885F7AB7ADEB66759F0D0069F405EB280E770EE04A790

Function 03C71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03C7127B
BuildLabEx, xrefs: 03C7130F
@, xrefs: 03C712A5

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: fe26cc9ad5032d75251f50edcf7d0ae56d1daffa60f2768b54bd8bc2efbd6819
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 3531CD76900619AFCB11EFA5CC48EEEBBBDEB84714F054421ED14EB260DB30DA059BA0

Function 03CB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 03CB20F3
minkernel\ntdll\ldrinit.c, xrefs: 03CB2104
LdrpInitializationFailure, xrefs: 03CB20FA

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 9142230e8e5035fdb776e2b0f8f9e75cbc49eb9074c6a45e4d90a383e1932fb0
Instruction ID: 5c0f2f6bc7b6f7ce4dad8e31f31dd53dd44d5ff83605bc2ee087e4196543a361
Opcode Fuzzy Hash: 9142230e8e5035fdb776e2b0f8f9e75cbc49eb9074c6a45e4d90a383e1932fb0
Instruction Fuzzy Hash: E8F0283A640308BFEB24E60CDC02FD97768EB41B04F050464FA00EF281D2F0AA10EA90

Function 03C403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03C94D8A

Strings

#%u, xrefs: 03C94D82

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 95eecad1a41a9a1ebbb41433d499da2e898ac58b150ce1197c8b56c08c1a7ec1
Instruction ID: 1456d5bfc5b60d24ea47eff171b325440adcc5cda252498e2d8795ea1696fea7
Opcode Fuzzy Hash: 95eecad1a41a9a1ebbb41433d499da2e898ac58b150ce1197c8b56c08c1a7ec1
Instruction Fuzzy Hash: 06715B76A002499FDB05DFA9D994BAEB7B8FF48304F164065E901EB251EB34EE01DB60

Function 03CD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 03CD70C8

Strings

kLsE, xrefs: 03CD70A4

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: e885cc6177feb6670a86f22e2459c7cb879a7008162c6773e95421973d44ab0e
Instruction ID: c6828853ad4a863a26bf1e63059b071ed2fecf56155baf851f426090f482c5f6
Opcode Fuzzy Hash: e885cc6177feb6670a86f22e2459c7cb879a7008162c6773e95421973d44ab0e
Instruction Fuzzy Hash: 8A4187735013504AE731FF65E884B69BBA4AB30B24F190258FEA0CF2C9CBB09585D7A0

Function 03C452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 03C455A3
@, xrefs: 03C45445

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 2d6d0801389f9bf6ba9d1fd230e915b8deede90f359de03dbd4ffc867d1c4450
Instruction ID: f0d83d79cfc8e0eb2c83ab1de05bf49b89b4d2a5a44e631d345cf3cb4450851f
Opcode Fuzzy Hash: 2d6d0801389f9bf6ba9d1fd230e915b8deede90f359de03dbd4ffc867d1c4450
Instruction Fuzzy Hash: A932A8755083118BDB24CF19C484B7EF7E1AF8A750F19492EF986DB290E734CA94CB92

Function 03CFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 03CFA551
`, xrefs: 03CFA44B

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: f859c663c0bb734eb4a3c39f6d9b6671c0174392a7544de40434cd290343a0fd
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: D9C1DE352047429FDB64CF29C845B6BFBE5AF84318F084A2DFA99CA290D774D645CF81

Function 03C30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

ResIdCount less than 2., xrefs: 03C8EEC9
Failed to retrieve service checksum., xrefs: 03C8EE56

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
API String ID: 0-863616075
Opcode ID: 35bf1ce05264805f17f0909b49087b0e955d176d0dfde634ee0cd99f6c6dc379
Instruction ID: 177dd187b698b30c6446800f68f0309da3dd2a3a8374052c4b3070258f780ae6
Opcode Fuzzy Hash: 35bf1ce05264805f17f0909b49087b0e955d176d0dfde634ee0cd99f6c6dc379
Instruction Fuzzy Hash: 8EE1E2B59087849FE324CF15C440BABBBE4FB89315F448A2EE599CB380DB719609CF56

Function 00401240 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401511
S, xrefs: 004012D3

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$S
API String ID: 0-689075547
Opcode ID: c3be6647dbe6cc5b98a41977876f3875923a8e71468d33625275d7a6889461c2
Instruction ID: e431341b1d67e5fc745451f7cae9a32b470161ff68f2d1691612299d1a3635dd
Opcode Fuzzy Hash: c3be6647dbe6cc5b98a41977876f3875923a8e71468d33625275d7a6889461c2
Instruction Fuzzy Hash: 4CA19371E0020987DB18CE59D8501AEB772EFE5314F24C27FED19AF3D1EA799A428781

Function 00402920 Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

GR, xrefs: 00402939
-{, xrefs: 0040294F

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: -{$GR
API String ID: 0-1179925523
Opcode ID: c28e6b91f78691b83621c0917eed8092120be16c549680ff0f9db2d47e1dffa7
Instruction ID: b4af3b5a2527905aa5cfc9c12879170275a79e91ba89fd07e7117125551f8536
Opcode Fuzzy Hash: c28e6b91f78691b83621c0917eed8092120be16c549680ff0f9db2d47e1dffa7
Instruction Fuzzy Hash: 2471A571B0010647DF1C8E5DCA997ABB3A6EBD0305F58817ED915EF3C1EAB8AD018B84

Function 00402610 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004026C0
gfff, xrefs: 004027D1

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU$gfff
API String ID: 0-2662692612
Opcode ID: e6091576cf2b6853807572404755113bc5257c93a9f10ac193f78d38ea392fe3
Instruction ID: 372af4782d85180f0ac481e82ad683a52dac59266f5275330bb9ee29e341387e
Opcode Fuzzy Hash: e6091576cf2b6853807572404755113bc5257c93a9f10ac193f78d38ea392fe3
Instruction Fuzzy Hash: 9261D532F005154BCB18CE1DDE882AA7396EBE4314B198277ED19EF3D1F679ED118688

Function 00402410 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

d, xrefs: 00402423
yxxx, xrefs: 004024D0

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: yxxx$d
API String ID: 0-2460085974
Opcode ID: 53fc87e3b3aa920e45772aa848ef17eb53d10eb2558d1f58f52766ebb3728638
Instruction ID: fe4610766710c822c2f3eeb380541be288c4c95b30ca9b44ea1c2b8861269200
Opcode Fuzzy Hash: 53fc87e3b3aa920e45772aa848ef17eb53d10eb2558d1f58f52766ebb3728638
Instruction Fuzzy Hash: D6514962B0010A17DF2C881D9EA83A67642E7E9305F588137E985EF3C5F8B8ED52538D

Function 03CAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 03CAE75A
UEFI, xrefs: 03CAE751

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 3eef02902b89abdd4aa05481f1817978472cc411fb3d355d4c4e419edb8f570e
Instruction ID: 2fb2911126f5376dd9212d302047102411fd69b9a09ad4bae3dc3301d33cd93d
Opcode Fuzzy Hash: 3eef02902b89abdd4aa05481f1817978472cc411fb3d355d4c4e419edb8f570e
Instruction Fuzzy Hash: BC614C72E00B199FDB24DFBDC880BADBBB9FB44704F144069E559EB291D731A940DB90

Function 03C4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 03C4F7F6
$, xrefs: 03C4F860

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: 57f136ceaa6c47729ecb5341f8fd0cc98e8b59133d966ad06c975cb988da8c20
Instruction ID: 6dc7c6dff11edded79869eb8bde08c034dfebceef0fe6be928d2d5b73bab5425
Opcode Fuzzy Hash: 57f136ceaa6c47729ecb5341f8fd0cc98e8b59133d966ad06c975cb988da8c20
Instruction Fuzzy Hash: ED61B736A0074ADFDB20EFA4C584BADB7B2BF48308F09406DD515EF680CB74AA41DB90

Function 03C3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 03C3A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 03C3A309

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 88ba39bd85ad4c893c8c90f18b7e4ab0a4a50ca6274d3c5e148ef4ed7bbb3257
Instruction ID: f6a0a4da448a6ff37b606432ae1ba803537d6f0524f44b2d67a2bb1cf0a2d55f
Opcode Fuzzy Hash: 88ba39bd85ad4c893c8c90f18b7e4ab0a4a50ca6274d3c5e148ef4ed7bbb3257
Instruction Fuzzy Hash: 4341CF78A04649DBDB11CF69C844B69B7F4FF86700F1944AAEC81DF2A1E735DA10CB41

Function 03C6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 03C6330D
.Local\, xrefs: 03C632B5

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: ba27445a242533f57c143f14d9b0947ba92cae202c1045376780b528b7cc99f8
Instruction ID: d19451b5720a3534b69165f500853dc81849b9f0a5ebd4d7acffef7f66427152
Opcode Fuzzy Hash: ba27445a242533f57c143f14d9b0947ba92cae202c1045376780b528b7cc99f8
Instruction Fuzzy Hash: AD31B37A5083449FC310DF29C8C0A6BBBE8FBC5654F49092EF995C7260DA30DE05DB92

Function 03C3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 03C3C8C3, 03C3CA40

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f1c59133b1817cf9a0ab131decfb0dfea3b2faaa57a378348a6a973c3ed676e5
Instruction ID: be00aaf97956b56916b1b5b7d97fe4a1571b43b83d24ab134b2731902e9abb81
Opcode Fuzzy Hash: f1c59133b1817cf9a0ab131decfb0dfea3b2faaa57a378348a6a973c3ed676e5
Instruction Fuzzy Hash: EF824C75E002189BDB24CFA9C984BEDF7B5BF4A710F188169D85AEB250DB319E41CF50

Function 03C82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`owRbow, xrefs: 03C8300D, 03C833E4, 03C8343B, 03C834FE, 03C8352E

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: P`owRbow
API String ID: 0-263301770
Opcode ID: f849b347fc7dff7d1b9845de0d28806afb470cea834059b6b02d841b2ef43be9
Instruction ID: 43bfe3ab7374075d124a78a173bce885670fe94b4cc2f55229a1b80659a2f7b6
Opcode Fuzzy Hash: f849b347fc7dff7d1b9845de0d28806afb470cea834059b6b02d841b2ef43be9
Instruction Fuzzy Hash: 8542E27DD04299AADF29FFA8D8446BDFBB0AF04B18F18905AD441EF280D7358B81CB54

Function 03C37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bca6361eead5c074511716da2787b4ceb36671cc67e447616df1921eac991a
Instruction ID: 2d51b14a2c476683a68a3beda7dba8961bd2f3038d6c2c80109ac449adceef35
Opcode Fuzzy Hash: c8bca6361eead5c074511716da2787b4ceb36671cc67e447616df1921eac991a
Instruction Fuzzy Hash: D9A16BB5608342CFD724DF29C480A2ABBE5BF89704F19496EE585DB350E730E945CF92

Function 03C52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0, xrefs: 03C53240

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 72a7eaf7cc8e56cc8ed2abe6e1ee436b0abd1d9a8e75c0bcbb22e99e38ff597e
Instruction ID: 85e08dfcb1a0fc284eb2cb806008690ce3c7f91c9dddbf95a7eb22085ec416ea
Opcode Fuzzy Hash: 72a7eaf7cc8e56cc8ed2abe6e1ee436b0abd1d9a8e75c0bcbb22e99e38ff597e
Instruction Fuzzy Hash: F1F1B0796087819FDB25CF25C484B6BBBE5AFC8750F09486DFC89CB240CB34DA858B55

Function 0041662E Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

(, xrefs: 0041694F

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: c217bd2924112b173e824f98b99a3d3d24cac39527f22586202aeaea366654b5
Instruction ID: e1d45cba25847a78584b8ed2e245d1429f14211f0b9601023fd0c8de57a8ac6a
Opcode Fuzzy Hash: c217bd2924112b173e824f98b99a3d3d24cac39527f22586202aeaea366654b5
Instruction Fuzzy Hash: 3E021EB6E006199FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80

Function 00416633 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0041694F

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 1ff3bfd068e33b094ef255dd7f9f64627ff6a05826e1762857442f3e84bffab2
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 32021EB6E006199FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80

Function 03C32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 03C330D6, 03C33124

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 782b45dc364bbbac17c1424fe324914e2c8a6010b78bbe36d1c4c3525d564296
Instruction ID: f63a8d3011b777662e3d77c456c32564c3cfe19375716406d70bf68f99a1593e
Opcode Fuzzy Hash: 782b45dc364bbbac17c1424fe324914e2c8a6010b78bbe36d1c4c3525d564296
Instruction Fuzzy Hash: F6F1D37AD00258DBCB25DFA9D880ABEBBB1FF9A700F494029E841EB350D775E941CB51

Function 03C6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db82049e943eed8f3afb27185a05683fe4bad9db05d5e5358d63aed22a0c05e
Instruction ID: 9e5445505445a6e9497ff835554e335669c171fff8a67fe58c9d5e37b1dc8e54
Opcode Fuzzy Hash: 0db82049e943eed8f3afb27185a05683fe4bad9db05d5e5358d63aed22a0c05e
Instruction Fuzzy Hash: 6D4149B5D00288AFDB20DFA9D880AADFBF4FB58300F14416EE859EB211D7319A01DF60

Function 03C30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 03C30255

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fbaf9936e9123821a492d56ca45ed1a1daace3bde71f0748d9804f1b1800625c
Instruction ID: 912b5104630a4608ee12ec42806349a05d3a2cf8080956f54a22822f56e8015b
Opcode Fuzzy Hash: fbaf9936e9123821a492d56ca45ed1a1daace3bde71f0748d9804f1b1800625c
Instruction Fuzzy Hash: 61A10B33A043786BDF64DB298840BFEA7A95F46308F0940D9ED87EF281CA759B44CB55

Function 03C6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 03CA67C9

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 4f3e426a6e092e9f6209aa5eb0ce3fc0d2c0af962f2ec626ba6c3c08e6782a70
Instruction ID: 89f174274dab451a1fc6c813c47b92bd799d84f0eb91e9922cf15142aeef4ff4
Opcode Fuzzy Hash: 4f3e426a6e092e9f6209aa5eb0ce3fc0d2c0af962f2ec626ba6c3c08e6782a70
Instruction Fuzzy Hash: 0C716D76E0071ADFDF28CF9DD5906ADBBB5BF48708F18816AE806EB240E7309951CB54

Function 03C3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 03C397F3

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: f49e858e14be0f8fd7364af565b33b151c54cc059969ad305024a28233406e22
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 90618D76D00219ABDF21DF99C844BEEFBB8FF81710F16456AE810EB290D7709A01DB91

Function 03CBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 03CBF867

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: a799be4487b597a356811bf0ba8f747b44f04ad4c5533c96b073fa64e1a2fe85
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 24516672A04345AFD721DE54CC44FAAB7B8FB84750F05092DFA80DB290DBB5EA14CB92

Function 03C4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 03C4E6A4

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 0200ea529325244b393a737650f9485cba1dd6f3ab1f63c0ddf4fea734fc16e9
Instruction ID: 4335949ac091f3bb2257cc2a482c11d74beba7f38266440c0ead934b456c19ab
Opcode Fuzzy Hash: 0200ea529325244b393a737650f9485cba1dd6f3ab1f63c0ddf4fea734fc16e9
Instruction Fuzzy Hash: F841B0765083519BD710DB75C984B6BB7E8BF88714F060E2DF984DB180EB74DA04C796

Function 03CEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 03CEB28F

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 810c034543dd00fee494f1a6761da91e0b247cb54dec8a6bd59465c84adc0f75
Instruction ID: 4b28760c5f2d574f4213d36b3fc4bf5ebb85770cd9caf03d0f8c2a51e9bf6f07
Opcode Fuzzy Hash: 810c034543dd00fee494f1a6761da91e0b247cb54dec8a6bd59465c84adc0f75
Instruction Fuzzy Hash: 6A41C476D04219ABCF11DA95C841BFEF7B9EF44750F050166E911EF254DAB4DE40C7A0

Function 03CAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 03CAC77F

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 430cc3a3e55188feac1b2f015b2d9fe2b94c824a6a38076275052869432745e2
Instruction ID: 78e54c4b5aba878866798ae7a5e83c245f2b725816f6fa7ea74367d5daf8b567
Opcode Fuzzy Hash: 430cc3a3e55188feac1b2f015b2d9fe2b94c824a6a38076275052869432745e2
Instruction Fuzzy Hash: 9B4165B6D0062DAADB21DB54CC84FDEB77CAB44718F0185E5EA08EB140DB709E889F94

Function 03CB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 03CB9870

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: a9894b34153a67b0722c8a6172caefa9a7a06d24d795b1cb1d453bea08886d9f
Instruction ID: 1691e3386777735eecd9dd06246a70f5f48663393301029ff1bc56ce94eb5263
Opcode Fuzzy Hash: a9894b34153a67b0722c8a6172caefa9a7a06d24d795b1cb1d453bea08886d9f
Instruction Fuzzy Hash: 11319376A003119FDB24DF69A850B76B7F6EF5A314F598079E608DF391E7328E808790

Function 03C636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 03C63731

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 2d1d877e8147a58199ad53010722fab38f55da189a6406a133c71cfc460cab22
Instruction ID: befa988da6598c5e9ce8788fe5bc9880c0530d25e80c7e810e4ab6897dead9ef
Opcode Fuzzy Hash: 2d1d877e8147a58199ad53010722fab38f55da189a6406a133c71cfc460cab22
Instruction Fuzzy Hash: B34198B56053019FC314CF19D2C0A16FBE4EF89714F18856EE44ACF291DB71DA42CB91

Function 004045C4 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Nj:, xrefs: 00404667

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: Nj:
API String ID: 0-3166132045
Opcode ID: fa7d4e3967f31540b878af8fb6f3969df631bce06a6ad072bf65da0a19305ee9
Instruction ID: 8cf2aa35ef8233358c7a4addb548fa1e3476db04209d2e11cb3d153df63f68af
Opcode Fuzzy Hash: fa7d4e3967f31540b878af8fb6f3969df631bce06a6ad072bf65da0a19305ee9
Instruction Fuzzy Hash: 092148B1D0121D9FCF84DFB889466EEBFB4FB09300F20466AD919E6251E33946418FA5

Function 03C35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 03C350BF

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 8e461a6b7e4b441228d2f6761f3533095b7632f66fe3d05b79a50c21420d3f45
Instruction ID: 51aa2605a9077e87c9f14c27988b2a49acaa07c69dc42279b2c9ebeb88ca2e48
Opcode Fuzzy Hash: 8e461a6b7e4b441228d2f6761f3533095b7632f66fe3d05b79a50c21420d3f45
Instruction Fuzzy Hash: 4C1182307096528BEB24C91E88546B6F2D9EB97264F3C852AE462CF391D673DD418780

Function 03CB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 03CB10F7

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 5398c06d019a3f2df23f5f50ed1d8ea40cbff99cf8c36a5a127e35345d3f1474
Instruction ID: cde1fbade332cebcdc891ea9eefd23b4d3d46529e9c3ff0df21ebe9a14a10d1f
Opcode Fuzzy Hash: 5398c06d019a3f2df23f5f50ed1d8ea40cbff99cf8c36a5a127e35345d3f1474
Instruction Fuzzy Hash: D82107B59183449FC320DF1AD844A9BFBE8FBE5B00F144A1EB5A0DB250D7B1D504DB92

Function 03C6E8F0 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7c87b017e63eb1d37c46f99fb574e988fe9e4c6e26dd43fd6ea7f968834a65
Instruction ID: 77e2d6e610ac0f751d21e36ed232b59c106f730ce7cbada229b736d6be9c1ad8
Opcode Fuzzy Hash: 2f7c87b017e63eb1d37c46f99fb574e988fe9e4c6e26dd43fd6ea7f968834a65
Instruction Fuzzy Hash: 23822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB345DA34AC568B45

Function 03C7516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8951be3170c0f1d402c877f11a9390d45954068cf374fa42594c689c5ab8496
Instruction ID: 621660b7852f931ecb883d1f6bb2267c3c783f2d6b5b3b6c9bc10abaac333aeb
Opcode Fuzzy Hash: e8951be3170c0f1d402c877f11a9390d45954068cf374fa42594c689c5ab8496
Instruction Fuzzy Hash: 54628D7690464AAFCF24CF18D4905AEFB62BA56314F49C69CCC9AEB604D731BA44CBD0

Function 03C8739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b840e4733519fadc3d9307634be246aea2f36b6c202992ccd72977f2bb4e50fe
Instruction ID: beb68af9dd1063871adc36d8ded1ce583a87e2c686d53affaa9ebc4275dd1edf
Opcode Fuzzy Hash: b840e4733519fadc3d9307634be246aea2f36b6c202992ccd72977f2bb4e50fe
Instruction Fuzzy Hash: 4A429175A006168FDB15EF59C4806BEF7B6FF88318B28856DD552EB340E734EA42CB90

Function 03C85AA0 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Function 03C5B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373c7826561699dc3d5aca93c4d672f5c0483be2f5678bb18a9fe4d06248e608
Instruction ID: 77b09d09677fc85c6ab31df57f2df1c4936ad803d6b7002ea21d41b0b8aa1c2f
Opcode Fuzzy Hash: 373c7826561699dc3d5aca93c4d672f5c0483be2f5678bb18a9fe4d06248e608
Instruction Fuzzy Hash: D7329976E002199BCF24DFA8C884AAEBBB1FF54714F190029EC05EB381EB359D41CB94

Function 03C42840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049e87d4e451a4083991cb2db1116da627717ee9c7cd5c8951fc22d8579f314a
Instruction ID: e8605782b5a4978f14ce85bad56ed8af3f2f6184850bbd4d5c87c7154d6ee156
Opcode Fuzzy Hash: 049e87d4e451a4083991cb2db1116da627717ee9c7cd5c8951fc22d8579f314a
Instruction Fuzzy Hash: BD320E74A007558BEF24CF6AC8487BEFBF6AF84320F1A455AE446DF284D735A921CB50

Function 03CDA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480222e85fa6bbf1c0fd7fba6e02e9a616ebf13f43d33f306fbd067993b0fb5c
Instruction ID: 64f2683dfbd8f484c7e36b3ae689a9b624088853f97251c668ef6c63b7a3c77c
Opcode Fuzzy Hash: 480222e85fa6bbf1c0fd7fba6e02e9a616ebf13f43d33f306fbd067993b0fb5c
Instruction Fuzzy Hash: E422AD78204651CFDB24CF2AC094772B7F1AF45300F18889AFA96CF685E735E692DB61

Function 03CF16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcba136958c0d2f52006177652e323338911490b871630f98f5a3ccebbb11ae
Instruction ID: 0efa3fa15b15182e0a8be9f85d01267a049cd5cfb1fa2c26033f31bb78de6074
Opcode Fuzzy Hash: afcba136958c0d2f52006177652e323338911490b871630f98f5a3ccebbb11ae
Instruction Fuzzy Hash: A5228035A00216CFCB59CF59C490AAAF7B6FF88314B2D456DDA56DF344DB30AA41CB90

Function 03C5FB80 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240b4920a2ddec6e511c4b7b971baa932756a04fbb1e6775d05e48a26fbdc642
Instruction ID: dfb54ad5c3e970a727378f14fce1b0289943fe7c6e2ccc0a9e19560a6a4fa58b
Opcode Fuzzy Hash: 240b4920a2ddec6e511c4b7b971baa932756a04fbb1e6775d05e48a26fbdc642
Instruction Fuzzy Hash: 7C22D37590061AEFDB14DFA8C880BAEB7B5FF44358F1485A9E814DF245E730EA85CB90

Function 03CF1D5A Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f485338e28e3e8b780df10c6e0bdd7e34c191df7c5478d8b57fedf25a77a8585
Instruction ID: bb8842610aec8f10f225b703fc5ade8496177a63d353b9a12676664c6f34722f
Opcode Fuzzy Hash: f485338e28e3e8b780df10c6e0bdd7e34c191df7c5478d8b57fedf25a77a8585
Instruction Fuzzy Hash: 4122A0396047128FC759CF29C490A2AF3E5FF88314B198A6DEA96CF351D730E946CB91

Function 03C58DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ad5b167e43cc9a51cb77d41b2704fd78edf76dbf7847f2aece7d52f87feb43
Instruction ID: 9d61acf876348ec261f6e80cb6f73a466d91dd2ff633a283da447a94123f8716
Opcode Fuzzy Hash: 19ad5b167e43cc9a51cb77d41b2704fd78edf76dbf7847f2aece7d52f87feb43
Instruction Fuzzy Hash: 41225E74E00216DBDF14CF95C4849BEFBF6BF48704B19819AE846EB241E774EA81CB64

Function 03CF2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2858f221d82e5dea364321fa68a241d704ba14e4d5be273df83f245aab8ff58e
Instruction ID: 0c20314ab419698c5892a2f7b87591e97b45e0e65ace7d5cc5c4af929b50604e
Opcode Fuzzy Hash: 2858f221d82e5dea364321fa68a241d704ba14e4d5be273df83f245aab8ff58e
Instruction Fuzzy Hash: 660204796046518FDBA4CF2AC450375FBF1EF85300B19899AEAD6CF281D734EA42DB60

Function 03D0B16B Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54927d9dc4ad27ff5527c6dc0caa83e755990f2780f6c778783c7222936e7a85
Instruction ID: 2fb3835cefedcf4f5160eb4aaa2ba4f99a794f9eaac93e729dd011a9e1c6e483
Opcode Fuzzy Hash: 54927d9dc4ad27ff5527c6dc0caa83e755990f2780f6c778783c7222936e7a85
Instruction Fuzzy Hash: D7F1E572E046118BCB18CFB9C9A077EFBF5EF98600719416AD4A6DB3C0D674EA41CB90

Function 0040FED3 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: fcacbb8c9441478024ed503d3e5299d162d2d0b2d1204655e5d1e7211600a9e8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 16026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90

Function 03D0A9A6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ad5870a95c0dec24100b27634f4e8665db5764e8f9d177e7894394216b9e57
Instruction ID: 67742d581f7ca19ccbd65b9e80646d9f10d785d3794b6141b6bd11a4e304851f
Opcode Fuzzy Hash: 05ad5870a95c0dec24100b27634f4e8665db5764e8f9d177e7894394216b9e57
Instruction Fuzzy Hash: DEF1D677E006269BCB18CE68C5A06BDFBF5EF45610B1A426AD856EB3C0D734DE41CB90

Function 03C5FDC0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e89fd9b27b4f16369ee6e9f8d42b6c93f2d583326aa24f2aa84c0c06bb0714
Instruction ID: 4a3fa9e4b51e49539424323f0f4ef2be45b5a5e7a903ef397266288da4392617
Opcode Fuzzy Hash: 58e89fd9b27b4f16369ee6e9f8d42b6c93f2d583326aa24f2aa84c0c06bb0714
Instruction Fuzzy Hash: DBF1917490061ADFDB14DFA8C880BAEB7B5FF48308F1885A9E815DB345E734DA85CB90

Function 03C28397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68632295a5e6b08fc4f35686167cbf91b5494f782c55964ed413408bc94fea54
Instruction ID: a9ceee2fd36f8d5c220c0074a4cc8a1b4b06f0ee7f88a381e489b7d4631cc9e9
Opcode Fuzzy Hash: 68632295a5e6b08fc4f35686167cbf91b5494f782c55964ed413408bc94fea54
Instruction Fuzzy Hash: 4CD1C475A007269BCF14EF65C890ABABBB5BF44708F094629F915DF280EB34EA45CB50

Function 03C5C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf7e154ba3d11db12221a79477c9d077c09de4965553be051bdbd2eb90796dd
Instruction ID: 2a4a86ed1cb7e697710a7a7c0f4162716b8915deaaea04eeb9b21f1541bace45
Opcode Fuzzy Hash: dcf7e154ba3d11db12221a79477c9d077c09de4965553be051bdbd2eb90796dd
Instruction Fuzzy Hash: 29D14C72E043198BDF28CA99C5843BDBBB5FB54344F19C06AE842EB695D7748AC1CB48

Function 03C438E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7952a73fcb0c06d3ae1428ad145019e6c7a3ac904cd06d2ef93a2566d25f672
Instruction ID: ea38034448a7249a0b47cf1357cf7215789ae1e2ddaf55fdfb4c685866b0bcfa
Opcode Fuzzy Hash: e7952a73fcb0c06d3ae1428ad145019e6c7a3ac904cd06d2ef93a2566d25f672
Instruction Fuzzy Hash: 0AE17D75A002458FDB18CF59C884BAAF7F5FF98310F19819AE855EB391D730EA51CB90

Function 03C4CFE0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f9d116f930cc40313cfd420fff7415493c598fc89b5355c3ebff360374c387
Instruction ID: d9ab39af31f9c792273f977cd750dcd40d7268fb34ea03c6cb8938fe6e8f5535
Opcode Fuzzy Hash: 47f9d116f930cc40313cfd420fff7415493c598fc89b5355c3ebff360374c387
Instruction Fuzzy Hash: F7D1C431B003198FDB34EB25C898BAAF7B5BB45314F0940E9D90ADB242DB75AE85CF51

Function 03C3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3124092b18c1185750ccf5bbf40d3549ab01253326b6e7db0c49f220eadbd46
Instruction ID: 36cf4d49f2b9f0404de4cfe390480388e7d6d5a2803ddabd13e8a08a00aa0104
Opcode Fuzzy Hash: a3124092b18c1185750ccf5bbf40d3549ab01253326b6e7db0c49f220eadbd46
Instruction Fuzzy Hash: BBC1A571E002169BEF18CF5AC848BAEF7B5EF55314F198269D815EB280D771EA42CB81

Function 03C40535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 0f259f5ac383e79320f5477814559ae95be2d4b5d80856cf2eb3fde404c9d76d
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 5BB12535600655AFEF25DB69C844BBEFBF6EF84200F1A0199D642DF281DB30EA41DB90

Function 03C590DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92fbd45898c2da03748067d30bf3191a3e44c87833c750e9acb7d61e9cbd0a4
Instruction ID: 23f397a18733344356864ad61c056dc7f10c4437d0abb20fb2d6b52ec3e86710
Opcode Fuzzy Hash: f92fbd45898c2da03748067d30bf3191a3e44c87833c750e9acb7d61e9cbd0a4
Instruction Fuzzy Hash: 32A16A75900205AFEB12EFA4CC49FAE77B9AF45750F060094F901EF2A0D775AD50DBA4

Function 03C383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aba702a05b78d9ca217e2124169597e92c1977c8e2086359d66209299cb692
Instruction ID: 62cb4eb96a79b102cad59048c22df6155458c89986f8e7f3f7ade8214e11a4d3
Opcode Fuzzy Hash: d4aba702a05b78d9ca217e2124169597e92c1977c8e2086359d66209299cb692
Instruction Fuzzy Hash: 68C169741083418FEB64CF15C495BAAB7E4FF88704F49496EE989CB290D774EA08CF92

Function 03C70185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c968b0e4dd8eab9e6e16fce3eb331ef7f573e6de141b791e9f311a0e7e6852fd
Instruction ID: 3bf16fdc07a13450a0073aa4b36b2845eb358b136bba97ba829e7be4bddeb119
Opcode Fuzzy Hash: c968b0e4dd8eab9e6e16fce3eb331ef7f573e6de141b791e9f311a0e7e6852fd
Instruction Fuzzy Hash: A8A1C175A0072ADBDB24DF6AC991BAAB7F5FF44318F044129EE05DB281DB34E901DB50

Function 03C4E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40faecd83f0643dfe04d81da684b845ea0da2725f9d89854bf38603903f914d7
Instruction ID: ffce50bc57664964dd1f114cd67254298e06f74f0dee9c3d5f080b6400e3ded6
Opcode Fuzzy Hash: 40faecd83f0643dfe04d81da684b845ea0da2725f9d89854bf38603903f914d7
Instruction Fuzzy Hash: 1A910436A007258BEB24EB79D448B7EB7A5FF84714F0B40AAE805DF240EB34DA41C791

Function 03C31131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ccda8bb4b9bdc01734c0f3ac518810ecf0a3f6867367ee81e77842bac9d5b9
Instruction ID: 3ca5ff5da37b684c5d074b7dfdd7ecc99c164f23ba3613204f6b28b82d1f8048
Opcode Fuzzy Hash: e5ccda8bb4b9bdc01734c0f3ac518810ecf0a3f6867367ee81e77842bac9d5b9
Instruction Fuzzy Hash: FEB10275A093408FD354DF28C580A5AFBF1BB89304F184A6EF899DB351D371EA45CB52

Function 03C64750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: efd3e8be87051e0fd9e9441e3d5e9dbe69e9fdfdf7e403425c2bfb53e152fa67
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 48817A36E047D68FDB29CEAEC8D02ADFB55EF56204B2C467AD542CF241C225D986C391

Function 03C7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction ID: d1b85583018ec38e75dc2f59bb9a0644196fe3bc11a8fcc41409d20e9a8cd483
Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction Fuzzy Hash: BA915372620A06CFD725CF2DC889662BBE0FF55364F188A18E8E7DB6A0C375E511CB10

Function 03CFF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2117f0242b49a1b4a6a81cc0f584b7417b60f386dd1649b1b14860ec85de9e
Instruction ID: 1ab1bb397fae8db0cc5f5d43c9b330d412ac7f659a65b13ab1eb714cd332bae0
Opcode Fuzzy Hash: 7d2117f0242b49a1b4a6a81cc0f584b7417b60f386dd1649b1b14860ec85de9e
Instruction Fuzzy Hash: 4291E372E00206AFDB54CF29C8807AABBE5EF49310F19857CEA55DF291D774EA11CB90

Function 03CFF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadfba181bc8f3040fadc7f8b18cb582a8cabe5b5f0588eff71b90d0f5db444c
Instruction ID: d2d5e7ab0bb989b80f264209c4240dbc526ab3b171d76463b2702763faf041e3
Opcode Fuzzy Hash: aadfba181bc8f3040fadc7f8b18cb582a8cabe5b5f0588eff71b90d0f5db444c
Instruction Fuzzy Hash: E691C072A005159FCF58CF69C8906BEBBF2EF88310F1986ADE915DB395D634EA01CB50

Function 03CF81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c555c25d69994f8bd0e23118e91006bd4adfb96ce148a0f86c801ab0d395ee
Instruction ID: 1d25c771b4c5f0aeee939aaec364c3ecedd5e36369cb6ae23ff478c2bae81daa
Opcode Fuzzy Hash: 18c555c25d69994f8bd0e23118e91006bd4adfb96ce148a0f86c801ab0d395ee
Instruction Fuzzy Hash: 7D81B472E006199FCB54CF69C8805AEB7F5FF88310B19426AD925EB280D774EA56CB90

Function 03C40E59 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d59b03abed515b4f2fad9274ae49d856599978870cf4b289318d1b240bdaa69
Instruction ID: 99ead5978fb694f098e716396c04fa592e9b5c299babc63e145b95d7a096ceaa
Opcode Fuzzy Hash: 3d59b03abed515b4f2fad9274ae49d856599978870cf4b289318d1b240bdaa69
Instruction Fuzzy Hash: 3D819631A00669DFDB14CE5AC8849AEFBB2FF85210B29C2A5E954DF345D730DA41CB90

Function 03CEE4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baedd80ead76611a0c6d4f54bccb2bf23cf405e8b0c0feca065e2083989cd16f
Instruction ID: 5e6a269567cd9af300997dde59159680c6026540f25beebd6cf87a9e2cd56cfd
Opcode Fuzzy Hash: baedd80ead76611a0c6d4f54bccb2bf23cf405e8b0c0feca065e2083989cd16f
Instruction Fuzzy Hash: 0B819176E002159BCB18DFA9C5906ADFBF5EF88350F19816AD816EF385D7309E41CB90

Function 03CFAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 802b6d236b02fb566779e7483cc2d4b5b1324042d2939d4b5eda4bacd32e3eeb
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 62816039A102059FCF58DF99C890AAEF7B6EF88314F198169D91ADB344DB34EA01CF50

Function 03C5D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: d54554adef98e06fa37319db79cb24be5979c5b12705ac50a177552ecd9bfd8b
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: DF818176E002158BEF14CF68C8887AEF7B2FB94354F1A416BD816FB344D6329A40CB95

Function 03C6E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc85a5d6b5c71eb57af0a1e3d5930a17f5fc452298a005f0e80274d198f4f74
Instruction ID: acdb49ab7eff64c3e105249ac2daf81580f3f6fd02ddeee266a5844d6a300250
Opcode Fuzzy Hash: 0bc85a5d6b5c71eb57af0a1e3d5930a17f5fc452298a005f0e80274d198f4f74
Instruction Fuzzy Hash: C1818E75A00709AFDB21CFA9C980AEEF7FAFB88344F14442AE455EB250D730AD45DB60

Function 03C5B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b942fbcfdf2fe81860387f48d3e49ebbc4c1a62c9c37e9fda2e59d0571900f5b
Instruction ID: 5050346fe402aaf2ce82735ca1f647b563cc8c68b92da7bde6ba239e79c5cc1a
Opcode Fuzzy Hash: b942fbcfdf2fe81860387f48d3e49ebbc4c1a62c9c37e9fda2e59d0571900f5b
Instruction Fuzzy Hash: 7171D4342047548EEB24CE2AC944736BBE1AB94704F19855EFC96CF1C8DB36ED82DB64

Function 03C4C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961af957aecc1f58b36449347d53a0a4596c3020dd933b1b6803ce10e0e60f88
Instruction ID: be6563652cba9969931ec7a8285d1b9dde2335a275badaf441bf53c949b5c4a9
Opcode Fuzzy Hash: 961af957aecc1f58b36449347d53a0a4596c3020dd933b1b6803ce10e0e60f88
Instruction Fuzzy Hash: 6071EDB6C01266AFDB25CF59C9907BEBBB4FF59700F15815AE842EB360D7709900CBA0

Function 03CEDAC6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f77085f52588d44e61f6fa105c26e566d17499408ce1b33f813454099e58a7d
Instruction ID: bbc80a8c7f86790d88d1addd4fab54732ee52cd7c3d8a54c12301cc8b2eb1109
Opcode Fuzzy Hash: 4f77085f52588d44e61f6fa105c26e566d17499408ce1b33f813454099e58a7d
Instruction Fuzzy Hash: 64818A70E003A59FDB24CF6AC448AAAFBF1EF49740F048499E496EB285D374D941DF60

Function 03CF70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85796e0c95d6f6702691d0380363dd2d154123b8da077525889db2eb793d0c65
Instruction ID: 621dd9b3bcd505324f97fbe2d246ba7d53260be8629dc65d6ce882c396671820
Opcode Fuzzy Hash: 85796e0c95d6f6702691d0380363dd2d154123b8da077525889db2eb793d0c65
Instruction Fuzzy Hash: 7D61F575E00316EFCB50EFA5C881ABFB779AF44240F15842AEA15EF240DB74EA459B90

Function 03C4260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dce0243f801cfd8d3e546f4da066e12b5fd28e11cf2e2dd7f25a8d7cfd55d89
Instruction ID: 1b50a3005f9564603b728089805cb6684cfa7d90e0c62c581a923bb966174aa3
Opcode Fuzzy Hash: 9dce0243f801cfd8d3e546f4da066e12b5fd28e11cf2e2dd7f25a8d7cfd55d89
Instruction Fuzzy Hash: 2071EF356046419FD311DF29C485B6AB7E5FF88310F0A89AAF898CF351DB38D946CBA1

Function 03CEF0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff80506c5894f0cdd70ce11c4eef3ac30b7a10cf8f177fd289ace0cb8bd49bd
Instruction ID: 3202fd075602b999928403ddec77754a03fc7e169e73f22b5c24f5becc77aa35
Opcode Fuzzy Hash: aff80506c5894f0cdd70ce11c4eef3ac30b7a10cf8f177fd289ace0cb8bd49bd
Instruction Fuzzy Hash: 2C717B79A01626DBCB24CF5AC08017AF3F1BF94705B6A846ED882DB640D775EA91CB90

Function 03CB035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 658979fea8a8c4bf489c64df67a9d1024b1d12563a15e889c66eac6aab488478
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 9F717C75E00619AFCB10DFA9C984EEEBBB8FF88300F154569E505EB250DB34EA45DB90

Function 03CC62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f83400c569c50e7396a60a7433fdff80bbe4ce018c326fd29d04f8460807c10
Instruction ID: e52b77e4d66bf35b16312950d16c000526c9f9498e08d37282f5a091a2dd50ee
Opcode Fuzzy Hash: 7f83400c569c50e7396a60a7433fdff80bbe4ce018c326fd29d04f8460807c10
Instruction Fuzzy Hash: 32710E36210B41AFDB21DF14CA44FAAB7B5EF40720F1D492CE656CB2A0DB74EA64DB50

Function 03CF7A46 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6a2bacfdf4b287f4f49251b39e6dc9a1472017f182804c79cef07d5363a87a
Instruction ID: d82212def3655ed857cc0384b3720a6b84ca8943df934e8922559a653aad7316
Opcode Fuzzy Hash: 0b6a2bacfdf4b287f4f49251b39e6dc9a1472017f182804c79cef07d5363a87a
Instruction Fuzzy Hash: 43513A75A002255FCB54DF69C880ABAF7F6EF88350B194169EE54DF384DE34CA12C7A0

Function 03CF132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c681e5d6055cd47917bf305b1e8c5e4d89b171489ffc8c12718f1eb64aefb5ed
Instruction ID: 8c42b103fd496ddfa548e0b2fae1e74ed72c4b3a39ebee67dd9bd977eed2e264
Opcode Fuzzy Hash: c681e5d6055cd47917bf305b1e8c5e4d89b171489ffc8c12718f1eb64aefb5ed
Instruction Fuzzy Hash: F7817F75A00245DFCB09CFA9C490AAEBBF1FF88310F1981A9D859EB355D734EA51CB90

Function 03CF903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830682911b6ad9e61189aa78693a1be4c7dbcc517c1afecbe836c94766417b00
Instruction ID: ae6a1fc41fc7eae335b0b9777f8b7b124a036dff786db2aa7c4b6cfff32c3a2b
Opcode Fuzzy Hash: 830682911b6ad9e61189aa78693a1be4c7dbcc517c1afecbe836c94766417b00
Instruction Fuzzy Hash: C861FFB5600715AFDB95DF64C884BABFBA8FF88700F018619FA59CB240DB30E914DB91

Function 03CFFCF2 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6e9203a225adc4fcba2f78aa47793e38e7e302502642113fdc7aa7095cc109
Instruction ID: c76c53ad8e286b57aa790c5da5f3ac6fdd6dda784c52bd91e6a73f689f304aa7
Opcode Fuzzy Hash: da6e9203a225adc4fcba2f78aa47793e38e7e302502642113fdc7aa7095cc109
Instruction Fuzzy Hash: A561BF31A0020A9FCB94DF68C881ABEF7F5FF48314F25856DE615EB284D730AA55CB50

Function 03C37703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35adfe82addcf18000aa9772f80622ff7ad1242d9719769081e98aae7292b58
Instruction ID: 60d7ab17819995ed07f82fe838ee6b143142f5eeddc89802095d2581199305fe
Opcode Fuzzy Hash: b35adfe82addcf18000aa9772f80622ff7ad1242d9719769081e98aae7292b58
Instruction Fuzzy Hash: 9A6162B5A00606EFDB18DF69C480AADFBB5FF49200F19856AD419EB340DB30AA41CBD0

Function 03CF92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744c6e0de8740a2d9e3eb564fd7395f44801835d13e2168f1365ffbdb8626d6c
Instruction ID: aea789e0240190ad75caed53831568f959b380181d41a6e6abe2f8d5d895ed60
Opcode Fuzzy Hash: 744c6e0de8740a2d9e3eb564fd7395f44801835d13e2168f1365ffbdb8626d6c
Instruction Fuzzy Hash: 816114352047828FDB95CF69C494B6AF7E0BF90704F19046DEA85CF291DB31E90ACB91

Function 03CFCE93 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction ID: 9b13aa5ddc45553320d68fb4255997a493950b2324b09ded71dbb9e5a7035fe3
Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction Fuzzy Hash: DE51353270430A4FC794DE298C5076BFBD6AFC1250F1EC46DEA96CF249DA30DA0A8791

Function 0040FCAA Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5536a0d6976fb1126caeda13ec117f3dd1b7c112dee014b2ba0a0dc8947dd8f3
Instruction ID: 29c0604e558228a61f6f4935ad19ca780d4fb54f3398491cdc2dc5d4dadc37ea
Opcode Fuzzy Hash: 5536a0d6976fb1126caeda13ec117f3dd1b7c112dee014b2ba0a0dc8947dd8f3
Instruction Fuzzy Hash: C15193B3E146214BD318CF09CC40631B792FFC8312B5B81BEDD199B367CA34E9529A90

Function 0040FCB3 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 025723e4da0e9858469e6144b70e4408f3518c179fafa9b43a19f9adea39dcae
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: F85173B3E14A214BD318CE09CC40631B792FFD8312B5F81BEDD199B397CA74E9529A90

Function 03C2B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4de1c27dcdf8468a95c3f59b6b5f95f4dcba853a4b9d05132afc3ea6dd7244f
Instruction ID: 7e6a9eafc19761bb3b39a8b7dccda1a837261996689a355fae96fe95a8056088
Opcode Fuzzy Hash: b4de1c27dcdf8468a95c3f59b6b5f95f4dcba853a4b9d05132afc3ea6dd7244f
Instruction Fuzzy Hash: 94415536600710AFCB26EF25D980F2ABBA9EF44720F1A8469E559CF350DB70DD018B90

Function 03CF7D73 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb528b9ab6d003e24777d9bcbd6bfbd7c89a9b224f1e302b561e4c8f518deceb
Instruction ID: 20c89d9805005ed90a9eea5d62dfc52740ee0a775c275ab7d12088576f198e33
Opcode Fuzzy Hash: cb528b9ab6d003e24777d9bcbd6bfbd7c89a9b224f1e302b561e4c8f518deceb
Instruction Fuzzy Hash: DF51B136A1014A8FCB08CF68C880AAEB7F5EF98354B19827AD915DB355E734DA15CB90

Function 03C43740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03f02f6d44d0a4cab59860ba502d4488653ebed4e28bb30eb60ae30b06bee2d
Instruction ID: 91b14891027b8bdc55907ea65d7ac7b2f957f8d75f091cc2d6ddd41eca8a0a40
Opcode Fuzzy Hash: d03f02f6d44d0a4cab59860ba502d4488653ebed4e28bb30eb60ae30b06bee2d
Instruction Fuzzy Hash: AE51E27AA00695AFC711CF68C880669F7B0FF94710F0942A6E895DF740E734EAA1CBD0

Function 03C37152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe2982a10ab6a37fdab890f308137976e601d1c45722bb9da04f769e7e4b373
Instruction ID: de9135cb727a53ffda61da7843a96bf017a1eeb921f04ebe4752e8ca93ed58c6
Opcode Fuzzy Hash: 0fe2982a10ab6a37fdab890f308137976e601d1c45722bb9da04f769e7e4b373
Instruction Fuzzy Hash: CA513476A0060AEFEF15DF65C948BBDB7B4FF05310F19406AE416EB290DB74AA11DB80

Function 03CB3A6C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68750b895841e7d903dcdd53e8ff43bc580fa84f21949d4c4ac7c1dcafa854d0
Instruction ID: 522bbe2811db6808b0e3632afd7673d442fe50d1b326c2c80fa16f837e2e37ef
Opcode Fuzzy Hash: 68750b895841e7d903dcdd53e8ff43bc580fa84f21949d4c4ac7c1dcafa854d0
Instruction Fuzzy Hash: 74518C36E4016D4BEF24CA58D461BEFB3F2EB94310F48081AE855FF3C4CAB66A56D650

Function 03CAD800 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f872ddf71e4dd1ab9cc15c4d67f178d0531b14b46b07be805c70f152cebad44
Instruction ID: 30a1f8d5a72a9a17668d46f03c5f22e9be50ccf4913b6d25265daad55b4d9861
Opcode Fuzzy Hash: 8f872ddf71e4dd1ab9cc15c4d67f178d0531b14b46b07be805c70f152cebad44
Instruction Fuzzy Hash: DC51E474600B16EBCB14DF6DC4A4ABDB7B4FF45708B094199E942DBA90EB34DA50CB90

Function 03CFD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: ff66a1d087131cae517c15d4a15c8c5cc19a1b3dd20e3c180db31bd269979e3b
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 7C516C766087429FC351CF28C888B5ABBE5FBC8344F04892DFA95CB244D734E945CB52

Function 03CF7571 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b996057016e8a15077fb9861825fc40c6d4ae8d5ad6bc0be2a148a381c271e11
Instruction ID: 1cdc9dea21202d3303a9fda48d17f10be27f9f3d1a75681dfdf86cf2f07f4ce5
Opcode Fuzzy Hash: b996057016e8a15077fb9861825fc40c6d4ae8d5ad6bc0be2a148a381c271e11
Instruction Fuzzy Hash: A951D732E00115AFCB55EF69D844A7EFBB9FF48390F494169DA11DB254DB70AE11CB80

Function 03C351ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568a3b965b6139aa3aedd4307f4bbfccac38b876fdcccbe8682e79eb69df304c
Instruction ID: 1c5fe0bb91c6be05f89034bbdc0ee3a33b4c90f2e8fc556f2164760e96ab21e7
Opcode Fuzzy Hash: 568a3b965b6139aa3aedd4307f4bbfccac38b876fdcccbe8682e79eb69df304c
Instruction Fuzzy Hash: 03519C75A05315DFEF21DBA9C844BEDB3B8BF0B714F190059E811EB241D7B5EA408BA2

Function 03C6F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72988ed75f5bc2699b9d1a56f4d462e9658c2be3bd2cd883b4164f1760be0aae
Instruction ID: 2f7a5007933fcb1b18d1eac62cf8b3c5b1b77c653eedaaa5491ecc3b33ad01d0
Opcode Fuzzy Hash: 72988ed75f5bc2699b9d1a56f4d462e9658c2be3bd2cd883b4164f1760be0aae
Instruction Fuzzy Hash: 74416A76D04229ABDF11DBA8D888AAFF7BCAF45654F060166E901FB200DA34DE4197E4

Function 03C601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d1b78fb49cd0d4b708b5dc39b6323922fb4dfcad0adff3cc68c5ae174e691c
Instruction ID: b4bfcafb7861ca1c765989d7af620dcc4ef8f6be05d8fe1838d777a12c79ed40
Opcode Fuzzy Hash: a4d1b78fb49cd0d4b708b5dc39b6323922fb4dfcad0adff3cc68c5ae174e691c
Instruction Fuzzy Hash: 4C41B076D05225DBCB14DF98C480AEDF7B4BF88714F19816AE816FB240D735AD42CBA4

Function 03C72750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 13d85d596556611af388a4b347e4fadf4862ad233baf7f9e2192c11fe9cbff8c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 09512979A0061A9FCB14CF59C580AAEF7B6FF84714F2981A9D815EB350D730AA41CB90

Function 03C36154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78dc211b4afcbb2aca5f84d145dbdfa6a566710a52b204db35211a52925e8983
Instruction ID: 94efeb148bf6818c9574c6bd282a08c3a29ba0d9ed82bba251c7d01670cc3372
Opcode Fuzzy Hash: 78dc211b4afcbb2aca5f84d145dbdfa6a566710a52b204db35211a52925e8983
Instruction Fuzzy Hash: 29511770904256EBDB25DB24CC44BE8BBB5EF12314F0A82E5D465DF2C0D779AA91DF80

Function 03C2B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edea00ccfce29e670dd91a98aa9d97d8b0cb35df61605ff060e91f839b4bdf3d
Instruction ID: 4b800d163ebb7c97696eff6b9113e64d04a05ba549d175602b036b54398da7bd
Opcode Fuzzy Hash: edea00ccfce29e670dd91a98aa9d97d8b0cb35df61605ff060e91f839b4bdf3d
Instruction Fuzzy Hash: 1041BBB5640311EFDB21EF65C880B2AFBA8EF50794F098469E511DF250D7B4EE40DBA0

Function 03CFF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7dc4da94b4835bb7e6c61db8abdf58d9d453c03ae8be43680aa41d58fe8c298
Instruction ID: b32710921f295c8bf945e48f87f21730e46c30b450a1b65b84ec4f735fca7879
Opcode Fuzzy Hash: a7dc4da94b4835bb7e6c61db8abdf58d9d453c03ae8be43680aa41d58fe8c298
Instruction Fuzzy Hash: 6A41D0712083418FCB44CF65D8A597ABBE1EB84715F088A5EF995CB382C730D909CB61

Function 03CF866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 87afa016f92e41f19f020d331f3f1d7ae4d5b37b62db79f05259b4bee6576b2f
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 24419575B00319AFDB55DF99CC85AAFB7BAAF84600F194069E604DB341D674DE01C760

Function 03CDD5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3d2649951639c8dd54ff417db6bcab3a227c25dd622e811099f2664559da39
Instruction ID: d2ad6dc4b2c4cc377741fd0d3d96a575a26a4b07d295a566e14eeaee4f04a661
Opcode Fuzzy Hash: 8f3d2649951639c8dd54ff417db6bcab3a227c25dd622e811099f2664559da39
Instruction Fuzzy Hash: F8410530E082949FCB14DF29C4996BAFBF1EF49300F098889E6C6CF245C734A556DBA0

Function 03C5D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ec249b7a03e8b256e2a40fa546b563435fa0aa9f9194d12887772bb63aedd6
Instruction ID: f3226e2b3a216465035f7106eb3365ced294b44c9e0a5d9e35f6bd8e35b8f375
Opcode Fuzzy Hash: c5ec249b7a03e8b256e2a40fa546b563435fa0aa9f9194d12887772bb63aedd6
Instruction Fuzzy Hash: 2041E3765047009FD725EF25C894F2AB7A9EB65760F06052EFC15CF391CB30A841DB95

Function 03C2A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 01f51b06ce5402694c02a7119b4770a2731e69c35503e8d571ba23dd3f8231d2
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A8412E3DA00321EFDB20EF9588507BAFB72EB50759F1A806AE946DF240DA359F40D790

Function 03C60710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 65ed7ba5375eed8e0018d3f6f777fe57bf6e77fa3621d5002ec76568157f58be
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 8541F475A04715EFDB24CF99C9C0AAAB7F8FF18700B10496DE556EB690E730AA44CF90

Function 03CFFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299b0233676177a18824b1875e9fa1db6e56c3b916270381285fc5d9a7cf5b83
Instruction ID: c6a53297608dc5cffda7d1d7965b41b7e01aebdfda2cafbe07e56e01cba000ab
Opcode Fuzzy Hash: 299b0233676177a18824b1875e9fa1db6e56c3b916270381285fc5d9a7cf5b83
Instruction Fuzzy Hash: F9413A319042956BCB40CB6684A07BABFF2EF85605F0DC1AAED81DB382D639C916C770

Function 03CB07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25a961c4e85de9823927405a97c4498d2ff3ab25c9f4f3b92faa8c0e0090d9a
Instruction ID: 34aac23f4416db84a7a934515f484c0309b5a415bcc176aaa51e329bcc4f6756
Opcode Fuzzy Hash: f25a961c4e85de9823927405a97c4498d2ff3ab25c9f4f3b92faa8c0e0090d9a
Instruction Fuzzy Hash: 0C417D725083509FD760DF29C845B9BFBE8FF88664F004A2AF998DB251D770D904DB92

Function 03CFFA49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6ba3532587de5736e35cf5566941017a4cb3dabe8a5dcab26c6d7b6e9cc336
Instruction ID: 8dac6174b8f61bed443cf8367138d37b2aa0c11c422f9c6b223ab636be82cc21
Opcode Fuzzy Hash: ca6ba3532587de5736e35cf5566941017a4cb3dabe8a5dcab26c6d7b6e9cc336
Instruction Fuzzy Hash: AB314B367101069FC758CF29CC44AA7BBA9EF84B50F09867CEA18CF284EB74D945C794

Function 03CFEEDB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb783a149c921739dc356aa419da00a65c6d2f256df1ee7fb51bca8fe0d92a54
Instruction ID: 231880429d03aa475de78d7623b696f98746a65eea38531e695cd37d17a3b4b7
Opcode Fuzzy Hash: fb783a149c921739dc356aa419da00a65c6d2f256df1ee7fb51bca8fe0d92a54
Instruction Fuzzy Hash: 24418133E0412A9BCB18DF68D49197AF3F5FB5830475642BDD905EB294DB34AE05CB90

Function 03CFFB76 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119d64f1d8ec82b7b5f0acbf4da27c73331bc3e4f51e8749aa907d2b0785d03c
Instruction ID: 3b03c5ceab29e69d16c6e6825d38c5dd841d5cc45dec0d2a1d40598bcfe587c9
Opcode Fuzzy Hash: 119d64f1d8ec82b7b5f0acbf4da27c73331bc3e4f51e8749aa907d2b0785d03c
Instruction Fuzzy Hash: EA31D236A10215AFD764DF29CC44AABBBE9EF98350F458568FA08CF244DA74E901D7A0

Function 0040DF53 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 1aa7791497de71d852e926a4a966dac8ecbfaff0d4d4367d643b8cc90c56911c
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: EB3180116586F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Function 03C402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 69723517445f16f383a74be2c1615d633c7495c5cdbc174c30fe51ec29b1bee2
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 7E312132A04254AFDB21DB69CC84B9AFFE8FF05350F0985A6E855DB352D2749984CBA0

Function 03C59274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b57079b33b49d8b70833519f605c3ed174a8168218d1f63953daf98071d35a
Instruction ID: 0b3d975c52b84ad3d6942d9e1480b8b92e3cf693dbede22f90961ad3b0015fd2
Opcode Fuzzy Hash: 55b57079b33b49d8b70833519f605c3ed174a8168218d1f63953daf98071d35a
Instruction Fuzzy Hash: 1A317275A00328EFDB21DB24CC40B9AB7B9EF85750F1501D9B94DEB280DB309E84CB95

Function 03C35702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ade59bc65366507a5e3a61bf0edde49152f0196175c8f7aac98bcb9666c870
Instruction ID: c4dee1d2b099b953f59675eaed8a3ee6d9a5ecb573fd2084f980949f74673f9b
Opcode Fuzzy Hash: a3ade59bc65366507a5e3a61bf0edde49152f0196175c8f7aac98bcb9666c870
Instruction Fuzzy Hash: D431CD3A211B12EFDB51EB25CA84AA9F7A9FF46754F051065E801CBA50DB70E920DFD0

Function 03C34260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c32a7dbad0d2af9421becf8cd0dde14fb2e9790ef2396a062ccd9dadac5f521
Instruction ID: 56a47383afe6274590ff3051e7245196c935a147bb33679fe4e9934f9ba9f9bc
Opcode Fuzzy Hash: 2c32a7dbad0d2af9421becf8cd0dde14fb2e9790ef2396a062ccd9dadac5f521
Instruction Fuzzy Hash: 2741CE35200B45DFDB26CF25C984FD6BBE9AB46714F06842AE999CF250C774F900CB90

Function 03C550E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 9b5684afc39ccde2d1123ff2c957110eb8d40840e370baea9958838bb2e53016
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: C831F4317083419BDB21DA29C800767BA94AB86794F0D816AFC86CF2D0D676CDC1C796

Function 03CF61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a84df49c298d46af2af758528a3aeb99fba9d2d084c8cdc92915738f3fb6528
Instruction ID: 41592f9031f270a6bcd242a1449552cfd13616ee1053ca0dc2756759de82aba0
Opcode Fuzzy Hash: 2a84df49c298d46af2af758528a3aeb99fba9d2d084c8cdc92915738f3fb6528
Instruction Fuzzy Hash: 7B31AF7AA00259EFDB15DFA8C880BAEB7B9FB44B40F454169E900EF244D774ED50CBA4

Function 03C29730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b638bab807a094884ee9e7af241f042acee364541c007db0bef648aa3d6890e
Instruction ID: 695adb4fd2f627e68a37970dfad0537d252a498ccd7c513d3fd4f57e29423c96
Opcode Fuzzy Hash: 6b638bab807a094884ee9e7af241f042acee364541c007db0bef648aa3d6890e
Instruction Fuzzy Hash: 7621B07AA00B24AFC322EF698800B1ABFB5FB94B54F160469A955DF351DB70ED11CB90

Function 03CF6BD7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e88ad1fc46d50626941b12bc3602d0de7d2cdc45f4de30cba7fe36df23be8e9
Instruction ID: e63278e9fb7ca8943c2ca01be0baa6bf6ee5468240a962fff4ef1ea67e08e49f
Opcode Fuzzy Hash: 1e88ad1fc46d50626941b12bc3602d0de7d2cdc45f4de30cba7fe36df23be8e9
Instruction Fuzzy Hash: 6D316D32A002049FCB64DF3AD8C5A5B7BF4FF59340F858469E908DF249D270E955CBA4

Function 03CF60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecdfb3b06cf4a1321aed53c5f24e0b434d6ccb6d79ee886a6aaee5c01fd3e5a
Instruction ID: 13f19d8c4a546029ef02adba4c1623571a1b64b6510021f3d264fc3299a611f1
Opcode Fuzzy Hash: eecdfb3b06cf4a1321aed53c5f24e0b434d6ccb6d79ee886a6aaee5c01fd3e5a
Instruction Fuzzy Hash: 33312136B00315AFCB22EFA9CC50B6EBBB9AF44314F0180A9E641DF351DA31DD009B90

Function 03C307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d76755dbc9f7e92dc1254176536a83a337f55f7a88c515396c29b0dbabc789
Instruction ID: cfb8bb9d6942e45a222ea860ac5736488d293a5bff23c13a1c62c9a2ef47b1c1
Opcode Fuzzy Hash: b3d76755dbc9f7e92dc1254176536a83a337f55f7a88c515396c29b0dbabc789
Instruction Fuzzy Hash: 4031E337A04721DBC711EE288880E6BBBA5EF96664F064569FC56EB310DA30DC0197E2

Function 03C2D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 2f88eb226ff6ee1b6eb9a16f01632dfe66bc7d3a50df0c550d2af5ae14d8b29a
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: CA310B3A600A14AFDB21DE54C888F2ABBB9DB90B51F1D8469ED26DF214D378DE40CB50

Function 0042EAE3 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d1c44c02fb93cacee1e73ad732c9f76cf38427e2df321513106ea3834658cb
Instruction ID: 0f90a10ea85466345375f5cf5a7b1e29a0fb5d51a7e3a3f0256689b5b7c55dc5
Opcode Fuzzy Hash: 05d1c44c02fb93cacee1e73ad732c9f76cf38427e2df321513106ea3834658cb
Instruction Fuzzy Hash: CD31DF72B106265BD354CE3AE880656F7E2FB88320B54863AC919C3B40E778F961CBD4

Function 03C357C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effb4c570d9ae1bb8851275f6e0ef8d72bbb12af454765a620e43f3bc7f3421c
Instruction ID: e19c2ae6e4dd8feb9bba837e4ee883c82f28a8f9245ddc39216c93497ce4fba1
Opcode Fuzzy Hash: effb4c570d9ae1bb8851275f6e0ef8d72bbb12af454765a620e43f3bc7f3421c
Instruction Fuzzy Hash: E631AE3A715A09FFDB51EB25DA44AA9BBA6FF86300F445066E901CBB50D731E930CBC1

Function 03C6A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: a19e44a1327f73014756e4ed085d66f965287a6c8c067a10ad3c3d8c4e157aac
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 6D314DB6B00B01AFD764CF6ADD81B57B7F8BF08B50F08092DA59AD7650E630E900CB64

Function 00403200 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36c1d5d40eb4061929a6eeaa9fd6fa0dfe20199c7b2c5b022fe5630ec2f704b
Instruction ID: 6ee2045f8c6a47047b8731f54c6398829193a06f955e8ec452eca25a223ff1f6
Opcode Fuzzy Hash: a36c1d5d40eb4061929a6eeaa9fd6fa0dfe20199c7b2c5b022fe5630ec2f704b
Instruction Fuzzy Hash: 9431C072A10B148FD3A8CE6DD945203B7E5EB88304B418A7ED85AD7B80C778FD01CB84

Function 03C5438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1a78121d046d775fe5d8fc4f9053e1e255887b32dba96d1815912bc340bc7b
Instruction ID: e6a48462c2b19f32d059d3a07f6289ad16991f1b7df53a2b1e72af313b2c87e7
Opcode Fuzzy Hash: dc1a78121d046d775fe5d8fc4f9053e1e255887b32dba96d1815912bc340bc7b
Instruction Fuzzy Hash: 2931C432B003459FDB28EFAAC984A6FB7F9AB84305F01852AE845D7254D730EDC5CB54

Function 03C392C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 1eaf9183759a7a140b2bc3394ad556180ef1f57e086dc6c068972ce6f8d06b07
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: FE317CB56083499FCB01DF19D840A5ABBE9EF89350F06096AFC91DB3A1D730DD14CBA6

Function 03C87190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 69436848601a7e2e3a85695a2fc2ebbf97ece4dbb5b5b2d06cd646091711a2cb
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 7A316775604206CFC710CF19C480956FBF5FF89358B2986A9E958DB325EB31EE06CB91

Function 03CEC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 334011cde96643fa32c48cf66fef4eaec6596ce98c8ba4a1cf5b63655bc36fba
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: A9212B3F600755A6CB24EBA58840ABAF7B4EF50710F41C01AFDA6CB691E634D950D360

Function 03C2C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808d2a24da55097e6c1f5b374d6b44d8f2528515d2032048f05b77cd75459b25
Instruction ID: ca552e4c9ca1c6eb65cb76c47bc19ef70689b81b2040f6db1451255fff0d5777
Opcode Fuzzy Hash: 808d2a24da55097e6c1f5b374d6b44d8f2528515d2032048f05b77cd75459b25
Instruction Fuzzy Hash: 6131E8755003109BC730FF14C845BA9B7B4EF41318F5985A9D946DF385DA74DA85CBA0

Function 03D003E6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78084e64bd516aca7650be8432384c471c06043c5b32438f98330f784f3c9979
Instruction ID: d602b49524a433b672669e6ed90ee64108dcaa31398c45c42b4241a855f82967
Opcode Fuzzy Hash: 78084e64bd516aca7650be8432384c471c06043c5b32438f98330f784f3c9979
Instruction Fuzzy Hash: 3C316F72A00119BFCB18DBA5D894F9FBBB9FB88604F414169E905E7240DB30AE04CBA4

Function 03C2E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d94e3241f14df824b99195e5a06dc60c619ac49e5fb7e3408dc31b5287d78757
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 7431A935600654EFDB21DFA9C884F6ABBF8EF84354F1545A9E552DB290EB30EE02CB50

Function 03CAE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e1360fe9bcb43cb04e30bb310682eb130285b7dce669081da6e533613295bd
Instruction ID: d64bf5d7dfd3e84e340ee56485ac3c9cc53b63125e4356b676da0b02489d0ab0
Opcode Fuzzy Hash: 32e1360fe9bcb43cb04e30bb310682eb130285b7dce669081da6e533613295bd
Instruction Fuzzy Hash: E2319F75A0060ADFCB14DF2CC884DAEB7B6FF84308B154959E809DB390E771EA41CB94

Function 03C33616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72896b1a330396105add259150a5aa621469854659cbe2ce1cf0eb8d0295e6c4
Instruction ID: 4ea674c3856b5834d7826b0a460ed9c2d2626746306ebc901f69efb5c05c7240
Opcode Fuzzy Hash: 72896b1a330396105add259150a5aa621469854659cbe2ce1cf0eb8d0295e6c4
Instruction Fuzzy Hash: 3B21F5392457909FCB61EF15CA44B6ABFB4FF82B14F090869E841CFA51C7B1E948CB81

Function 03D00591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfceeb4f380ca53bf5050c500052aaa58525543d78636be35501cbda3a1528a
Instruction ID: 1edd8c6adf7fbd78d9672c17e4ca0fa5ec13917af8e25ef80a33223c8634e383
Opcode Fuzzy Hash: 4bfceeb4f380ca53bf5050c500052aaa58525543d78636be35501cbda3a1528a
Instruction Fuzzy Hash: E821F1326002059FD728CE29C884BBAB3A6EFD4B00F998478ED45CB2C5DB30F845CB90

Function 03C5F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 29cf7b95959cb53ef771d741ea14790b2013baa10a1e5108de3038f28e2ed88c
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: CB218B72200300DFD71DDF15C445B6ABBE9EF95365F15816DE90ACF2A0EBB0E981CA98

Function 03CB06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fe22c4be1af1df33c71f673afd3974a7749117fae023c999d5ed66929e9545
Instruction ID: d7283b03f35e924db2df2c6e24135d421fbaf87d967c32e58724f6b9ea097bd5
Opcode Fuzzy Hash: 15fe22c4be1af1df33c71f673afd3974a7749117fae023c999d5ed66929e9545
Instruction Fuzzy Hash: 70216D759002299BCB14DF59C881ABEB7F4FF48740F550069E941FB240D778AD52DBA0

Function 03CB019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9744420570fce007874bcda90de243c8342e87d9105de1592d7264e6eec7ffc3
Instruction ID: c8578b5c295a74410eb680d76ddedd4b50a501c69545903d37b65a6312dd23d8
Opcode Fuzzy Hash: 9744420570fce007874bcda90de243c8342e87d9105de1592d7264e6eec7ffc3
Instruction Fuzzy Hash: BF21DE75600654AFC715DB68C840F6AB7B8FF88740F140069F944DB7A0D738ED10CBA8

Function 03C69660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead08c21cb16d6130dfdea628e28c9e78456552765509942e8feda2f64c1f53f
Instruction ID: ffe5c17f2c318b0886737f139f23cd58459aea9f4bdea4820008e1001b50bff9
Opcode Fuzzy Hash: ead08c21cb16d6130dfdea628e28c9e78456552765509942e8feda2f64c1f53f
Instruction Fuzzy Hash: 7E213831200B05DBCF71EB29CC80B26B7A6FB51228F184659E893CE6E0D731E951DB95

Function 03CB0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6482c83a5375706eece5e1d2e47599cdc49c405468767ec440393c90a1c442e
Instruction ID: 3b14ed062cd254d373e38a403371b65222d070d7e71b8cb56929cc2b975137b5
Opcode Fuzzy Hash: e6482c83a5375706eece5e1d2e47599cdc49c405468767ec440393c90a1c442e
Instruction Fuzzy Hash: 7E21B0729043959BC711EFAAC848BABF7ECBF81240F094556BC90CB251D734DA48C6A2

Function 03CAD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 7151716367bd87fc38109b9659b81a9124d4c71da85cbebbf5ae455830022491
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 5721F272644B01ABC311DF1DCC55B9BBBA4FB88724F05022EF946DB7A0D731D90197A9

Function 03D001AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c026277872cc5e0963f605c228b607be8d88f840ed5543f7cdc629beb2de6ff
Instruction ID: a1c996ebf0ed2adea8d9f8302c7b6fd04acadb1d4cad8cc842706384d237f455
Opcode Fuzzy Hash: 7c026277872cc5e0963f605c228b607be8d88f840ed5543f7cdc629beb2de6ff
Instruction Fuzzy Hash: A1210A712041905FDB45CB6A88F45B6BFE6EFC6215B0D82E6D984CB342C134D907C7A0

Function 03C6A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bf6f1ecdc4212d89704b192355920728476dbc43691453b374e4ba4c73497a
Instruction ID: 27f5c82a5565e25999382ea02ce03eb21b1b659c17bf4b97bf2483c41d70d944
Opcode Fuzzy Hash: 89bf6f1ecdc4212d89704b192355920728476dbc43691453b374e4ba4c73497a
Instruction Fuzzy Hash: 4521AC79200B519FC724EF29C840B46B7F5AF98748F1884A8A909CB761E331E952CB94

Function 03C2B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7ace08162457ef1d1688df378132f1a424b8f415785b167d21276fd43c0b749
Instruction ID: 5ce891571dc98ddac613f3b2bdf130e431b4938c489665424d675ac60399bc73
Opcode Fuzzy Hash: a7ace08162457ef1d1688df378132f1a424b8f415785b167d21276fd43c0b749
Instruction Fuzzy Hash: 51216936100B50DFC721EF68CA41F19BBB5FF18748F1A4968E40ADBAA1C734E910EB44

Function 03CFEE26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b626cd1ebd66efe2a1d26ed84b0573245269cba7ffd092eba36f048cde0aaa41
Instruction ID: b42c0aaecd9f2253f29cbe90bc64f7fa5d9f73646468e13c0eddc4bf6e898cbb
Opcode Fuzzy Hash: b626cd1ebd66efe2a1d26ed84b0573245269cba7ffd092eba36f048cde0aaa41
Instruction Fuzzy Hash: B621B433A104119F9B18CF3DD804466F7F6EFDC31436A427AD912DB268D770BD118A84

Function 03C60124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 79f3aaedb7a8b465795239431ecbc90d82aac5a3843aa8395792b261d8fb5681
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: C311EF76604714BFD722DF85CC80FAABBB8EB80754F150029EA01EF180D676EE44DB60

Function 03C38770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e51d3cc6a95cbc97f25b591a414704ff124dfc185160a38a2752dfef3afbfd8
Instruction ID: 8cb1c64f987e00113935c51753b20611786dd810b9ca04f982739bc253d2492e
Opcode Fuzzy Hash: 0e51d3cc6a95cbc97f25b591a414704ff124dfc185160a38a2752dfef3afbfd8
Instruction Fuzzy Hash: 99119D366007209BCB11CF59C480A6AF7EAAF4B750B198069FD08DF205D6B2EA0587A0

Function 03C33720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00b2979cee78422589e73190f40291aa602f1b522ef73cb05ca76f8117a8cf3
Instruction ID: 34bf41746177b0029fa73b41e0f700f485751f5745eabdb2579ea796fd50c5d4
Opcode Fuzzy Hash: c00b2979cee78422589e73190f40291aa602f1b522ef73cb05ca76f8117a8cf3
Instruction Fuzzy Hash: A8210779A003488BE725DF5DC5487EDB7B4FB8A318F2D8018C811DB2D0CBB89A45CB50

Function 03C380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dcca66137ef2276ed95199b2e6707e49d37b17252db808dc964d1e8b2b7be8
Instruction ID: 84826ca0f325f18bf7fd52bfbd9749b84de35f61435ddb4f8250a0f006d6b03b
Opcode Fuzzy Hash: 30dcca66137ef2276ed95199b2e6707e49d37b17252db808dc964d1e8b2b7be8
Instruction Fuzzy Hash: A0215E75A00205DFCB14CF99C581AAEBBB5FB89314F24416DE105EB350C772AE0ACBD0

Function 03C6674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148937d03ba7c441f10769c27e4fda6e5432889d6a4c8982593179ba9f6183ae
Instruction ID: 845c494c502a3506b526fce0f5a4d5dc361e75d4b006c9b5069de135b4ec27fe
Opcode Fuzzy Hash: 148937d03ba7c441f10769c27e4fda6e5432889d6a4c8982593179ba9f6183ae
Instruction Fuzzy Hash: 69215675611B00EFC720DF69C881B66B3F8FF84250F44882DE5AACB650DA70AD60DBA0

Function 03C29240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85dae548149101cf856714e7dff0bc2c8dfbb6b59ab697cc238b8eb4ce4dc0f
Instruction ID: d6501194c4f197e5688c8505e78efc7c54c0b4032946b35b9c91651946f318dd
Opcode Fuzzy Hash: c85dae548149101cf856714e7dff0bc2c8dfbb6b59ab697cc238b8eb4ce4dc0f
Instruction Fuzzy Hash: 2211E27F010640EAD730FF56D901A727BA8EBB4B84F144065E800DB358E738DE01CB64

Function 03C666B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32755500ce7151faa8850d394bd09d3b4547de4b35fd8aad6018725e3309bbe7
Instruction ID: 7b6e3cd28f0ba25faa3acc23b8e4be216cb1aa7f326c0eafae0b4d01cd0efe48
Opcode Fuzzy Hash: 32755500ce7151faa8850d394bd09d3b4547de4b35fd8aad6018725e3309bbe7
Instruction Fuzzy Hash: 6F11CE76A01344EFCB24DF59D5C0A5ABBE8EF94650F1A8079E905DF310DA70DE10CBA0

Function 03CFFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f629486d06ba5293cea0ab9bc75405e88b7907b4448fe1dd98bdb4fd1b5a73e
Instruction ID: 499c63169c64a662fd5881d3787f5bd2fa1a97c018c6ec8bba0f0120fbf4f6eb
Opcode Fuzzy Hash: 5f629486d06ba5293cea0ab9bc75405e88b7907b4448fe1dd98bdb4fd1b5a73e
Instruction Fuzzy Hash: 722152B2A502059FD754DF2AE884A42BBF5FB5D210B8585BAE90CCF24AE770D844CB90

Function 03C527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b6323b2efa39914e25e9993f52a19d517a3f8de8c3e0d3f59ceec9a00deac
Instruction ID: 216285a4be265a4151c83fff3c8e58c0bd757b409737cee5fba9f7763617fca9
Opcode Fuzzy Hash: 914b6323b2efa39914e25e9993f52a19d517a3f8de8c3e0d3f59ceec9a00deac
Instruction Fuzzy Hash: 3D01043B605684ABE316E2AA9888F27B6DCEF80354F0A0465F800CF641DA14DC00C2A5

Function 03C5B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd725b15f23d3c654f1db45f53ca4294ed68f3d55b07656975ebf8e0ad7d5a23
Instruction ID: fc9ceae544f2f69cfe9e299b11b543f30f60e535ea48e82adb84b581e6f3c20e
Opcode Fuzzy Hash: fd725b15f23d3c654f1db45f53ca4294ed68f3d55b07656975ebf8e0ad7d5a23
Instruction Fuzzy Hash: 3901D6B6B04300ABD710EBBA9C81F6BBAF8EFD4314F050029FA05CB141EA70ED409625

Function 03CED6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: dc3f8c2c1362fd67af51a53ea278b205c6cab8a5bfdb9df6a0b0d0b4cd7c1785
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 43018479700209BF9B15DBA6CA88DAFBBBDEF85A44F050059B916D7204E730EE41E760

Function 03C34690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01afa505e28cd14948947aa6840df5776a4f49f4f9ec82641f0da71e55f4fb20
Instruction ID: f8b6084924b56ee8d7609ecbc636c3716a98a344a08e3090609cf79bae5b3686
Opcode Fuzzy Hash: 01afa505e28cd14948947aa6840df5776a4f49f4f9ec82641f0da71e55f4fb20
Instruction Fuzzy Hash: 7611AC3A240744AFCB29CF5BD944F56BBA8EB87B65F094129F814CB290C770E940CFA0

Function 03C27330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0371805163a40142a9f72563d0aa0a5c150e96b9a39e8d289908fb4be0fdd2d
Instruction ID: 2ae2489ecaebfc5c11f32dcfd6ccb97e431c896b7b84a3b0d3d0a398ed5fcdb6
Opcode Fuzzy Hash: a0371805163a40142a9f72563d0aa0a5c150e96b9a39e8d289908fb4be0fdd2d
Instruction Fuzzy Hash: 0E11AC72600724AFD721CF69C881FABBBE8EB44304F054829EA85CB212D735ED00DBA1

Function 03C5F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ce686bd11a5fa5cb7ab0631f49d35a5637918a498c97c399594c2f9427d430
Instruction ID: 16e4867f3e562df9697a317669eceea4c055549a5c88e6fc18961f411820a10b
Opcode Fuzzy Hash: 11ce686bd11a5fa5cb7ab0631f49d35a5637918a498c97c399594c2f9427d430
Instruction Fuzzy Hash: CC11E575600B48DBD720DF69C844FAEBBA8FF44704F19047AE901EB241D679DA41D754

Function 03CC72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 6a05246b6a382eb46d89766d2c4463d9ade8907ebe2c8031bcbf153992ac6fd7
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 6E01D27A240645BFD711EF16CC84E62F76DFF84391B054929F510CA560C721ACA0DAA4

Function 03C2A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 12d3bba0c3323fe33c34916dca6f41ee620892b90c576c09fb6824eb1a21bf24
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 1B01C475505721ABCB20CF159840A26BFA9EB45760705896DFC99CF680DB35E520DB60

Function 03C36259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ecdaad664d8ff89e5926c856896195afe6d87bc18b8b5a58e1d7f565c06378
Instruction ID: 81856130d4f43588c913eb7038bbca9c8ca3bdd32b3c4722dd8931433d9c472a
Opcode Fuzzy Hash: d0ecdaad664d8ff89e5926c856896195afe6d87bc18b8b5a58e1d7f565c06378
Instruction Fuzzy Hash: 5C11AC75601328ABDB25EB24CC82FE8B378EF04710F5145D4A729EA0E0DB70AE91DF84

Function 03CAE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279cf10a722991f2c3d68975938505885a14797f4699a1776130811fe816502a
Instruction ID: 98b7fe9720cd3cea54cce483054075de9900f355f4205f5983535a0e25612986
Opcode Fuzzy Hash: 279cf10a722991f2c3d68975938505885a14797f4699a1776130811fe816502a
Instruction Fuzzy Hash: EA117936641740EFCB15EF29C980F56BBB8FF48B88F2500A5E905DF6A2C235ED01DA90

Function 03C3208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 0e3e33b9c58b64cf344593abda0f1ef420995afa2fc3a8f9efe2aacf16f29114
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 5C0128322002108BDF10EA19D880BA6B76AFFC5700F1948A9ED01CF245DA71D981C790

Function 03C720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad1ffe8fa98f707b3ec4cc401a234f4a422d2a36de740bad065b07e23b35998
Instruction ID: ce5cbd2998507796487dc0ada1acb510b6b50e439d050d7d25cbbb0b8fa4f379
Opcode Fuzzy Hash: 7ad1ffe8fa98f707b3ec4cc401a234f4a422d2a36de740bad065b07e23b35998
Instruction Fuzzy Hash: 62116D35A0020DEBDB05EFA5C850EAE7BB9FB44244F004059ED12DB250D635EE11DB90

Function 03C2C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 8b5f628d5636348085379f4fde6ed7611b9c8f9cdf63ff8f3b6a8ee6ecd98554
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5F01F5321007449FDB22F766D804EABB7E9FFC4654F09881AA947CF580DA70E641CB60

Function 03C29353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: a28fdab158e405c6565c57162b515294e6987d87f292ccb979abd5496bf2c078
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 15118B32900B219FD721DF15C880F22BBE4BF807A2F1A886CD889CE5A5C774E890CB10

Function 03C533A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 211736eb9695ae7a565d87fbad533b74fd5c3055de464ee96c4dc2b486b28910
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 3501D63A700245ABCB16DA9BCC40F5FBEAC9F84681B150429BD05DF160EB34D982D768

Function 03C6D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 18979a55f3ac28f5b435221b6174320d1be38269cae53e495613a8f2daca89c8
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 0C01477AB086049BD710DA55E848F65B3A9EFC4A24F154155FE13CF280CB34EE00C790

Function 03C2826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e010975258c13b822550de45133327b32b04503b59971c82d59a0b23a08fa049
Instruction ID: 81d2ca28b61b82a9017a17080db5d615e6d953b6020668bbb3484d4ebea12ae9
Opcode Fuzzy Hash: e010975258c13b822550de45133327b32b04503b59971c82d59a0b23a08fa049
Instruction Fuzzy Hash: E301A776B00718DBC714EB66D8109AEBBB9EF40610F1E40699902EB640EE70EE01D691

Function 03C4E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 58cfeb3b82e2ad4587cbb24423230213fbf801dc41b43e2eed1168b641a49506
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 6C015672200A809FD322E72DC948F36B7ECEB85754F0E04A1E815CFAA2D738DE40C625

Function 03CEF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae29f5ea68f03f2aca7532da503ee51a7cc5194c4ae3851d938435c6f9e4ca8
Instruction ID: f143174fd43d5f9de163c31ce2d665ec64db0a1d04ba312bf8a14f223c2952b4
Opcode Fuzzy Hash: 2ae29f5ea68f03f2aca7532da503ee51a7cc5194c4ae3851d938435c6f9e4ca8
Instruction Fuzzy Hash: C3018475A10358EBDB14EBA5D815FAEBBB8EF44700F05406AF900EF380D6B4D900C795

Function 03CF972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 03C2C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: ab5b5d546514d78179847919d1c7de3a7f08a707c974f547f1120e4177486e74
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 55F0FC372447329BC732D6598880FBFBE958FC5AE4F1A8435E109DF204CAA48C0166D0

Function 03D05152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42647fbc2903431ac5fc9562641d1b7d6cb67f74037af0cc444dacae4bd6e71
Instruction ID: 9509ad6e08b1cb302e539cd7e964c7de4bce2119415bcdae78b5fdebd469852c
Opcode Fuzzy Hash: e42647fbc2903431ac5fc9562641d1b7d6cb67f74037af0cc444dacae4bd6e71
Instruction Fuzzy Hash: 40012175A10249ABDB04DF69D941ADEBBB8FF49700F14405AE900E7380D674DA018BA5

Function 03D050D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dbca4db7effb4c93269f8c40031e3efd53de2d78438c8b042b6b588446f022
Instruction ID: 99aa39236a86f66b4e91fe6b5b406a480cded04fcbc65302d24893fe472929b5
Opcode Fuzzy Hash: 02dbca4db7effb4c93269f8c40031e3efd53de2d78438c8b042b6b588446f022
Instruction Fuzzy Hash: F4012175A10349ABDB04DF69E945ADEB7B8FF49700F50405AE900F7380D674D9018BA5

Function 03D05060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380fd8eed4971adc9473b9ee9dd09704223ef240ce99881cc60853f8acb226bf
Instruction ID: ce3225f657b6c9ea5f743dccbd6b56786e6c4971797550520b601669804131b7
Opcode Fuzzy Hash: 380fd8eed4971adc9473b9ee9dd09704223ef240ce99881cc60853f8acb226bf
Instruction Fuzzy Hash: B9012C75A10349ABDB04DFA9D941AEEBBB9FF49700F10405AF901EB381D674EA018BA5

Function 03C5C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: d313dc013c0730c13839ad5c0576671c2b78b74b30814ecb3f20dd6e12f249e3
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 0DF0C2B3A00610ABD324CF4DDC40E57F7EADBD4A80F098128A905CB220EA31DD04CB90

Function 03C65734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: ee200f05d0ac3732bebb1c45d4ed8ca7a26047699fd6f6167705117408750c21
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 27F0FF72A11214AFE319CF5CC880F6AF7EDEB46650F194079D500DF230E671DE04CA94

Function 03CEF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f232ad0e7aea1cddb06a4f45cde02051b5c1860a84953984b34101ae632e27
Instruction ID: c4039667aba58132707657c66d2a809317195772e57f7e57fa16e48224328b47
Opcode Fuzzy Hash: 52f232ad0e7aea1cddb06a4f45cde02051b5c1860a84953984b34101ae632e27
Instruction Fuzzy Hash: F9010CB5E00749AFCB04DFA9D545AAEBBF4FF48304F11806AE855EB341E674DA00DB91

Function 03CEF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0a17e865466dfca079ec170e0af6579c41dee8bb7b78da35b067e17e13e831
Instruction ID: 3564f3bdf926857e77654aebe9e807902d42407a753ad3b89f9e7a53d5330844
Opcode Fuzzy Hash: 6f0a17e865466dfca079ec170e0af6579c41dee8bb7b78da35b067e17e13e831
Instruction Fuzzy Hash: 90F06876F10348ABDB14DFB9D805AEEB7B8EF44710F01805AE551EB290DA74DA019791

Function 03D061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c6e7bb9cdd26ca1f63edc4a7b0434f363218b78fc1ca57966d3c4a80cab349
Instruction ID: d20a33663720d1899999862cf9c77b3bd5703e706a97b84c5466b5ee3888c61a
Opcode Fuzzy Hash: 32c6e7bb9cdd26ca1f63edc4a7b0434f363218b78fc1ca57966d3c4a80cab349
Instruction Fuzzy Hash: 32018F71A00258DBCB04DFA9D845AEEBBF8FF48710F14005AE900EB380D774EA01CB95

Function 03C6724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 76ec125fc5d8741fa727e076ca71cc5ce99205ccb6eb4bdf0fd5a3d796dda9c4
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 19F09675A11355EBEF14D7AA8980FAFF7A8DF84614F098995BD02DF144DA30FA40C750

Function 03D053FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4070539b45f2717402b3023c05403c2f87b50ef0fbaa2709fc0efa38ebb026f1
Instruction ID: 41bff678cdc840568f096a8fc115a4260d9f0915d3082d71f33bce6fad78f5fd
Opcode Fuzzy Hash: 4070539b45f2717402b3023c05403c2f87b50ef0fbaa2709fc0efa38ebb026f1
Instruction Fuzzy Hash: 9E011A74E00249DFDB04DFA9D545B9EF7F4FF08700F14826AA919EB381EA74DA409B91

Function 03C2C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3a6d9c3d5c75bc077576970c6219c012e9ede7d3ffe6639efe9082a92e1d67
Instruction ID: 10265be51b24358084e350df41fcd1d23b15f28d516339f405fe2205f2168a86
Opcode Fuzzy Hash: 9b3a6d9c3d5c75bc077576970c6219c012e9ede7d3ffe6639efe9082a92e1d67
Instruction Fuzzy Hash: CAF024B12043645BE715E659DC02B663A9AEBC0691F29C06AEB05CF2C0EA72ED018394

Function 03D03749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 2bf996a49921f59dffdb83d649b5123512b22de7b96cd5e21e86941ae823221b
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: C3F04FBA940304BFE711EBA4CD41FDA77BCEB44710F100166BA56DA1D0EA70EE44DB94

Function 03CD437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 7f7e34b023ffe957f92d17a240371a5d1c9bba870f73867d0663f4660b44c3c6
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 3FF08939781B1247D77DEA6F9450B2EE2559F80A50B4E052CB755CFE40DF70DD019790

Function 03CEF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71f9e3882bf2489dd2d190bd5623927570bdc043e764ca1e02bb36d7499d2b9
Instruction ID: 7bb7f88231ea0c698ed9947c8040f0871027b44499e344f72297382d5ff6040c
Opcode Fuzzy Hash: e71f9e3882bf2489dd2d190bd5623927570bdc043e764ca1e02bb36d7499d2b9
Instruction Fuzzy Hash: BBF03775A01248EFCB04EFA9D545A9EBBF4EF48300F41806AF945EB381E674EA01DB55

Function 03C292FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8e277f02e0223f1a736a43a1bfc908c28a2f43687de11755cf8b962589e4f6
Instruction ID: 2e535e86e640714cae0b00c5c508827b6a0855224c42756e374de0d2cd0592ee
Opcode Fuzzy Hash: ec8e277f02e0223f1a736a43a1bfc908c28a2f43687de11755cf8b962589e4f6
Instruction Fuzzy Hash: D9F0FA32200340ABC731EB09CC04F9ABBEDEF84B00F090129A942C7190C7B0AA08C660

Function 03C347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3ed25cce3a2bfda0612dbc7c089ca6128d1d009c14704db575f41160f9019d
Instruction ID: 82c0c06972175104a612fa73df2a256189eccf1ccb111a06379035209f02ba8f
Opcode Fuzzy Hash: 8e3ed25cce3a2bfda0612dbc7c089ca6128d1d009c14704db575f41160f9019d
Instruction Fuzzy Hash: FAF0B43B9127D09FD736CB5BC444B21B7D9DB02764F0D89AAD889CF541C724DA81CA52

Function 03CEF6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03e82ba3f75d433e4eccd0efd73df8e2b851d11c1f21e4339c60b0e06b15b10
Instruction ID: d3ec34f0c0f002a71075cccda420fceaf5ebe104d0f7b70480902f54c0abdeb3
Opcode Fuzzy Hash: c03e82ba3f75d433e4eccd0efd73df8e2b851d11c1f21e4339c60b0e06b15b10
Instruction Fuzzy Hash: 1EF06D79A10388EBDB04EFA9D805EAEBBF4EF48304F014069E901EB381E674DA00DB54

Function 03CF0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628f4e59559a59d0ea87436b5ae6e88029c9800bd386d66f48bf7349f6db4c6f
Instruction ID: 849fd5fffcf5e33dd4ba1289e7d97ca17ecdd8f02cb5d4ca63eeda070dbb4d73
Opcode Fuzzy Hash: 628f4e59559a59d0ea87436b5ae6e88029c9800bd386d66f48bf7349f6db4c6f
Instruction Fuzzy Hash: 12F027BB41A7E04ECF71FB286850391BF689762810F1E5089C6A1DF306C9B5C683C620

Function 03D0539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db965e963c3a7328d842496dbdecf226c5bd855adb4139d26c8bfa48f74c256e
Instruction ID: 7bba370ebbc72b94a95092e80edf4eba6f4709141e2ba81da4ff0940410dc4c0
Opcode Fuzzy Hash: db965e963c3a7328d842496dbdecf226c5bd855adb4139d26c8bfa48f74c256e
Instruction Fuzzy Hash: C7F09A74E10348EBDB04EBB9E445BAEB7B4EB08600F108059A901EB280DAB4D9019B24

Function 03D052E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7a2968ef1b5899ba30c21365a63d928fc8e7ccf21dce8e29e06548bb03c514
Instruction ID: ded371e07e1748941e691deec43cc4bca7c56cff267a7c622fcafeac880bfe34
Opcode Fuzzy Hash: 9d7a2968ef1b5899ba30c21365a63d928fc8e7ccf21dce8e29e06548bb03c514
Instruction Fuzzy Hash: FCF0BE74A10388ABDB04EFB9E905E6EB7B4FF14700F044059A801EB2C0EA74D900DB54

Function 03D05283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f0ab0c003108f49b16120f664dd0bb9119ea8cb249ca7f88dd299e054ccd7a
Instruction ID: f83c39e30eaada003709eb97964c0163f681bc15705a4c308b76dcdf4cefb105
Opcode Fuzzy Hash: 12f0ab0c003108f49b16120f664dd0bb9119ea8cb249ca7f88dd299e054ccd7a
Instruction Fuzzy Hash: 75F0BE78A10348EFDB04EBB9E905FAEB7B4FF04700F004459A841EB3C1EA74DA009B54

Function 03C72619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 5454cd1563acdc3bee0c0a4f5547bf1545a0385d7877bf5e38eccf05c10ae5fa
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 8FE092723006006BD721DE59CC80F47776EAF86B10F05047AB904DE251CAE69D0982A4

Function 03D05341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e84d68ba4e24a1beb774b95633ff2e910463e9f4746b1619f8e0559867b28d
Instruction ID: 800551065526d0bbd28660149b07a6e8a5caeb93abc95094fca58fce0a0908e7
Opcode Fuzzy Hash: d7e84d68ba4e24a1beb774b95633ff2e910463e9f4746b1619f8e0559867b28d
Instruction Fuzzy Hash: 16F02774E0434DEBCB04EBB9E845E9EB7B4EF09700F100059E801EB3D0EA74D9009714

Function 03C67208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1febe9a29e817114b347e1798c5b18e3e55451a9cb4a4455448346f185f5fd1
Instruction ID: b5deb4219d9a6fe05607c887b2fdc8303a372903088216600866b280c831869b
Opcode Fuzzy Hash: b1febe9a29e817114b347e1798c5b18e3e55451a9cb4a4455448346f185f5fd1
Instruction Fuzzy Hash: C0F020B1911A869FC722E72EC0C4F22B3E99F00B78F0D84A0D809CF701CBA8D980C290

Function 03D05227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1b5205e17e6b4cba9483183e2f2624dd854ba19d7616f05c8b5c79df4cdd21
Instruction ID: 56dfea8232f35617044c5582f6a18dc9be27d963a23747c4f01d63d80567c699
Opcode Fuzzy Hash: ef1b5205e17e6b4cba9483183e2f2624dd854ba19d7616f05c8b5c79df4cdd21
Instruction Fuzzy Hash: 4BF08274A14348ABDB14EBB9E905F6EB7B8EF44704F050459A901EB2C1EA74DA009759

Function 03D051CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ad0b0c6c8f3688280cbf6112972ab17eb58a3732f44c69fd1aa3f4e44a012a
Instruction ID: 182c71e739b34bfeb4df7ec9519b3ddee5cb5b91be06e3327e5d5d33248f8de3
Opcode Fuzzy Hash: 09ad0b0c6c8f3688280cbf6112972ab17eb58a3732f44c69fd1aa3f4e44a012a
Instruction Fuzzy Hash: 3DF08274A14248EBDB04EBB9E905F6EB7B4FF04704F050059A941EB2C1EA74E900DB59

Function 03CAD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 1854dab4fd8da43b96068a412b3b0fa7e9e44bcbea6b8286ab9e1621e10e0914
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: A1F0E53360471467C230AA0D8C09F5BFBACDBD5B70F10431ABA24DB1D0DA70A911D7D6

Function 03CEF72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bbf317355bd7ee605832070697460d22e264af68120c8a0ebecc8e987d73070
Instruction ID: 8ab750c49cdb7cd595c22baa4f9886dd8be943df51a8d57e4e8f42c7df597337
Opcode Fuzzy Hash: 7bbf317355bd7ee605832070697460d22e264af68120c8a0ebecc8e987d73070
Instruction Fuzzy Hash: A3F0A775A10348EBDB04EBB9D559E9E77B4EF08704F060059E541EF3C0D974D901A759

Function 03C30710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 87a12ad40f9cf34ee92673e01622df3132510b56eeeac4861ce5204a6ca8c130
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 79F06D3E3047949BDB16DF2AD050AA57BA8EB46364B0500D9E846CF351EB31EAC2CB94

Function 03D037B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 52cc8818afe91b07db853a3a64a24060d7a3d10607d524bb6d8fb5902960521f
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 21E06D76210200AFE764DB58CD05FA673ACEB40B60F150258B515D70D0DBB0AE40CA60

Function 03CB4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 9483c06bde7a0abe31757ea4d27738c16b90deff60aff492d2c210f91666726c
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: D0E0C2343043058FD719CF1AD080BA2B7B6BFD5A10F28C068A848CF206EB32E942CB40

Function 03CEB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 7ecc973c1769ec0f2cbfe555df3d60c60431597a215ed0e215d2c2cbb7eaf25f
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: E3E0CD35244314B7DB22AA40CC00F797B15DB407D0F118031FB08DE650C5719D51E6D4

Function 03C2823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 0735f13feaa6e0276769938e5476d0e95e4f29de0a4dc4c54aa966010bdaabd5
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 59E08C35101B20EEDB31FF12DC04F527AA5FB84B50F164969E482CE4A48BB0AC91EA44

Function 03CB92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a85336327f86bc6edbed0671a86a272e95ff036d29e47ee339cb71028902596
Instruction ID: 125a70e25ffe6558b28bcf92848992d32ae806ef62701d1ec91a3b788231c1c5
Opcode Fuzzy Hash: 1a85336327f86bc6edbed0671a86a272e95ff036d29e47ee339cb71028902596
Instruction Fuzzy Hash: 2AF0E535651B84CFE72ADF08D1E2F91B3BAFB65B44F500458D446CFBA1C73AAA42CA40

Function 03C32050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640ae5e4a702fa018663e70a754fd336ebfc89bbf86a6e50ee7eae7c1ef1d67d
Instruction ID: 05b961014d58bd53b5cca6d95c986c66ee80bc894913873fdc98b64cb312df63
Opcode Fuzzy Hash: 640ae5e4a702fa018663e70a754fd336ebfc89bbf86a6e50ee7eae7c1ef1d67d
Instruction Fuzzy Hash: 36E0C2332007906BC721FB5DDD00F8A73AEEFA53A0F024221F150CB690CA60EC00D794

Function 03C2A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: e8f7dc10c910495732127aeee6bc3712225556ef60d2d53a196366e0f80a9bde
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: CCD0123A31617097CB29E6566914F67BD159BC5AA4F1A016D780AD7900CD158C42E6E0

Function 0041480C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438335528.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7460aa8699ffd5e81ce2d03db0f143f246ad95f6a1000299a56ec2cde561297b
Instruction ID: fd7ba7d404b95df717f8813513e414ceff02cf9c7162b241cb907d810a9b51bd
Opcode Fuzzy Hash: 7460aa8699ffd5e81ce2d03db0f143f246ad95f6a1000299a56ec2cde561297b
Instruction Fuzzy Hash: 45D0A77A802611AB821157318D427C53B70EAA119430400D4D4044B407A234B9594BC1

Function 03C402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 1c0462645c36cdf0474f9257489164cb9fbaf1c77018e06211ea7fa06bafb8d3
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: B8D0C935252E81CFD62ACF0DC5A4B16B3B8BB44B44F8604D0E501CBB61D66CEA40CE00

Function 03CB930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 515e16e59f7e986cebb3101ac59683fd6826bac4e1b83e2fe525bd65ade7665e
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: E2D05E35945AC4CFE727CB08C165B907BF8F705B40F890098E0428BBA2C37C9A84CB10

Function 03C6C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 0739117aced7e209daf7f718c1b25cc6fe6254657a345a45e752a03bef9e5298
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 90C0123A290688AFC712EA98CD01F027BA9EB98B80F014021F6048B670C631E820EA84

Function 03C50310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: af6cc01c1105e08974ba28cad21c1b442f453ef79e4d5d8ced204fd8aa62431e
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 4AD01236100248EFCB01DF41C890D9A772AFBD8710F148019FD194B610CA31ED62DA50

Function 03C30750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: b78394523fbcc826d887ce2e392feda29ae03ba974a0804cc97a4bb7a47ae7e8
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 15C04879B11A818FCF15EB2AD294F4977E8FB84744F1A08D0E805CFB21E624EA11DA10

Function 03C74340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a1fea4665c68775600945c68527f886cf85770db7a8e32eea73671f6144c3c
Instruction ID: d9207e47c900c21a26f1f008bb449648049f154fc077c928e4db173c3af88a4a
Opcode Fuzzy Hash: f6a1fea4665c68775600945c68527f886cf85770db7a8e32eea73671f6144c3c
Instruction Fuzzy Hash: CC900271605904129141B25848C45C6400697E0705B96C011E042C598C8B148B565361

Function 03C73090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921e7da90aee502a168f58cb787e620a7bb052eb0bd19b5734fe8e1115e9289a
Instruction ID: 5e73577c256afb0f2e4224b975434118a4d9fc5e23f65ad3b760169dd3c94409
Opcode Fuzzy Hash: 921e7da90aee502a168f58cb787e620a7bb052eb0bd19b5734fe8e1115e9289a
Instruction Fuzzy Hash: 1190026124150C02D141B25884547870007C7D0B05F96C011A002C598D87168B6566B1

Function 03C73010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89fa28f4e4dae07eecbc4d38ffa4db5bccbeba74fb5ea859bdc64c0fa0d1d86
Instruction ID: 2b2f1c7b56368b0ba0206c1bcaeac6d0a73628fd64a280b13bf714149cf5c21f
Opcode Fuzzy Hash: d89fa28f4e4dae07eecbc4d38ffa4db5bccbeba74fb5ea859bdc64c0fa0d1d86
Instruction Fuzzy Hash: 1B90026120194842D141B3584844B8F410687E1706FD6C019A415E598CCA158A555721

Function 03C74650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf569dc05e96d32a3de8ec8f6a2522bb16e70576c8ebd9938cb955ea2c59d82
Instruction ID: 8c9c457570570642dd4c9970c2f4061f84117d5ad86024db98de2352c4182ade
Opcode Fuzzy Hash: 1cf569dc05e96d32a3de8ec8f6a2522bb16e70576c8ebd9938cb955ea2c59d82
Instruction Fuzzy Hash: EC9002A1601604424141B2584844486600697E17053D6C115A055C5A4C87188A559269

Function 03C72BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f468998828c7c21b8d10737fab4daf925a0115e8293e0ab912a7cb3c0be754f1
Instruction ID: a619991b01414a5cf53e4941cf349c28daf4f1760801d6ea0275baa4ad3d4f91
Opcode Fuzzy Hash: f468998828c7c21b8d10737fab4daf925a0115e8293e0ab912a7cb3c0be754f1
Instruction Fuzzy Hash: 5890027120554C42D141B2584444AC6001687D0709F96C011A006C6D8D97258F55B661

Function 03C72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27353ca2fa6e462000efc1565e19cec3a879680fafe186e21852311c651db2e1
Instruction ID: 4ade4d89b8fd8c6dbf348899a9d592f55c2c63e515dd70313f3064eedb98d575
Opcode Fuzzy Hash: 27353ca2fa6e462000efc1565e19cec3a879680fafe186e21852311c651db2e1
Instruction Fuzzy Hash: 9A90027120150C02D181B25844446CA000687D1705FD6C015A002D698DCB158B5977A1

Function 03C72B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a6fd17d6b356deca95e2cbbdc6b571797c2bd4ab72b72caa470a2c01e20020
Instruction ID: 35c1e27b78686efcc3ee82ffe8a177864db586c5686cb8ff66742f92ef002207
Opcode Fuzzy Hash: a0a6fd17d6b356deca95e2cbbdc6b571797c2bd4ab72b72caa470a2c01e20020
Instruction Fuzzy Hash: 6690027120150C02D105B25848446C6000687D0705F96C011A602C699E97658A917131

Function 03C72BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd06f0b28f58e57bb8cd87df76455e8f5abcd8c715f4d1faada655e17778f8ed
Instruction ID: d9216c63abd1ae65201849efdcb4a50e4151c712ceac89714f174068aaffc200
Opcode Fuzzy Hash: cd06f0b28f58e57bb8cd87df76455e8f5abcd8c715f4d1faada655e17778f8ed
Instruction Fuzzy Hash: 2A90027160550C02D151B25844547C6000687D0705F96C011A002C698D87558B5576A1

Function 03C72AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f62d46cdd10e37022eeda355f86b5ee5b258e4315e249936961acc5b6ef2aa
Instruction ID: 5ccc219a2ee1aa6f5f38cdfe196630356f1921bbd00af45df39f71b803a0d9fb
Opcode Fuzzy Hash: 12f62d46cdd10e37022eeda355f86b5ee5b258e4315e249936961acc5b6ef2aa
Instruction Fuzzy Hash: BD900265211504030106F6580744587004787D5755396C021F101D594CD7218A615121

Function 03C72AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572c9586e11b2366d272f8ea3e460b5446325f63564508eae813589def9106e1
Instruction ID: c2722349e27a935bfc5695f505d3cfbe9a2a88bd3de37575e91234bae57404ec
Opcode Fuzzy Hash: 572c9586e11b2366d272f8ea3e460b5446325f63564508eae813589def9106e1
Instruction Fuzzy Hash: F7900265221504020146F658064458B044697D67553D6C015F141E5D4CC7218A655321

Function 03C72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cddc42f3248122e8b88e9d435b33fea9dcf695b7cc4d1b94eb57c9fadd963b5
Instruction ID: 2e8e4ebbd39979a97c036f95cf0b1e4137fb25db93f65f02320f814261de36b2
Opcode Fuzzy Hash: 1cddc42f3248122e8b88e9d435b33fea9dcf695b7cc4d1b94eb57c9fadd963b5
Instruction Fuzzy Hash: 069002E1201644924501F3588444B8A450687E0705B96C016E105C5A4CC6258A519135

Function 03C739B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23704cc1692e00a76c61809f41ac85640bf0791c1fea3c9a940ccac78960c245
Instruction ID: 79b255b7f3a25c8e839931f40a2bb101864861b948c2a43a3cf4c2cf473dfe59
Opcode Fuzzy Hash: 23704cc1692e00a76c61809f41ac85640bf0791c1fea3c9a940ccac78960c245
Instruction Fuzzy Hash: 3E90026124555502D151B25C44446964006A7E0705F96C021A081C5D8D86558A556221

Function 03C72FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1de2568e5b35f41c09ddb7e21c8cb1fe38838aac5b34aaaf48d52decedb78c
Instruction ID: 9bd2d9bce85154b30f317e8e6be32bc5c4c892e2d64f7141fbda9639946fc01f
Opcode Fuzzy Hash: 9f1de2568e5b35f41c09ddb7e21c8cb1fe38838aac5b34aaaf48d52decedb78c
Instruction Fuzzy Hash: 07900261211D0442D201B6684C54B87000687D0707F96C115A015C598CCA158A615521

Function 03C72F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96805f36d913fe6a9423e5d6493a79613a97cd180a72f6ee80b7d568ed3d8651
Instruction ID: af061bc7e42375e3cf38ebb6c4b3ce3cf207fe61a584f0b8efc80188a114a787
Opcode Fuzzy Hash: 96805f36d913fe6a9423e5d6493a79613a97cd180a72f6ee80b7d568ed3d8651
Instruction Fuzzy Hash: 9590027120190802D101B258485478B000687D0706F96C011A116C599D87258A516571

Function 03C72FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bf2a0c596872f11400af4e2ec543d560c9e08edb41399650334c885779a80b
Instruction ID: c5fa407f6bef238fdef9d573b1e13eff083977061a2a10579db8bde873315023
Opcode Fuzzy Hash: b3bf2a0c596872f11400af4e2ec543d560c9e08edb41399650334c885779a80b
Instruction Fuzzy Hash: 7F90027120190802D101B25848487C7000687D0706F96C011A516C599E8765CA916531

Function 03C72FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1115037693a0bd49650fcb1ef29b678f2b0df0ed81c991f8ae321e5ca613d024
Instruction ID: 7f7a45951496b504501c0e1f969aa8ad09dde4f8684043a0bf58f3020397ff6d
Opcode Fuzzy Hash: 1115037693a0bd49650fcb1ef29b678f2b0df0ed81c991f8ae321e5ca613d024
Instruction Fuzzy Hash: F3900261601504424141B26888849864006ABE1715796C121A099C594D86598A655665

Function 03C72F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7dbc1b65812bfdc3c8b3aa6d865845b690acf6205fec668580c866f5f05dec
Instruction ID: 1712e05f7f2c8bb087120fe9595f667e5454ca18542cfd3a418b0cfff1cac37e
Opcode Fuzzy Hash: dd7dbc1b65812bfdc3c8b3aa6d865845b690acf6205fec668580c866f5f05dec
Instruction Fuzzy Hash: 749002A121150442D105B2584444786004687E1705F96C012A215C598CC6298E615125

Function 03C72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5abd74326b62b422f26fe47593f6712fe0fd22ef08f1d0153e6dbd459f667b2
Instruction ID: af5a27673156e8e58387cd342d22957042625c1a32243017c68b61198122fecb
Opcode Fuzzy Hash: c5abd74326b62b422f26fe47593f6712fe0fd22ef08f1d0153e6dbd459f667b2
Instruction Fuzzy Hash: 749002A134150842D101B2584454B860006C7E1705F96C015E106C598D8719CE526126

Function 03C72EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526a57017b305494ce3da651556ccb93360e17fb026eca8b7392d55cf0b5916e
Instruction ID: f4b9876c674b2e959a84995f3a2ae1a5114c1bc452cf8bc1f6534c69a1b9fd6d
Opcode Fuzzy Hash: 526a57017b305494ce3da651556ccb93360e17fb026eca8b7392d55cf0b5916e
Instruction Fuzzy Hash: A29002A120190803D141B6584844687000687D0706F96C011A206C599E8B298E516135

Function 03C72E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a598e5c05893417ac1694d23fd02842b938f5905a806c7946015c0961807497
Instruction ID: be6bcaf4fdf9f6dfb5a73d00c66b5be37e06a639bb86c4b068c61c6544370d8e
Opcode Fuzzy Hash: 0a598e5c05893417ac1694d23fd02842b938f5905a806c7946015c0961807497
Instruction Fuzzy Hash: 8B90026160150902D102B2584444696000B87D0745FD6C022A102C599ECB258B92A131

Function 03C72EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a8f9461d4ee9289c33852617af2290e19b995a45a779a30c440bfb0ecfbf48
Instruction ID: cd5d0dbdfc45c1236238367d0db5fa4f7885911f113865dcab8e29487817cca4
Opcode Fuzzy Hash: 41a8f9461d4ee9289c33852617af2290e19b995a45a779a30c440bfb0ecfbf48
Instruction Fuzzy Hash: 619002B120150802D141B25844447C6000687D0705F96C011A506C598E87598FD56665

Function 03C72E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baaf74fcfee02f88e31d7af043b879ea998c830b414bc6fdc116123616509db
Instruction ID: 07b89371a4f1f9fa36871b912d0783f1f71d67bc95cf137b20e3a167a4c999c8
Opcode Fuzzy Hash: 0baaf74fcfee02f88e31d7af043b879ea998c830b414bc6fdc116123616509db
Instruction Fuzzy Hash: 6590026130150802D103B2584454686000AC7D1749FD6C012E142C599D87258B53A132

Function 03C72DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97de109d9ce11f4ca00854bc12cfdcce01ad0cbce555c2f91f9c8a59c9b2676
Instruction ID: b95aec3ceca8c4a18cdb42d24f9c8678a2cccd89f0fdad7f0dd1d748c2d26af6
Opcode Fuzzy Hash: b97de109d9ce11f4ca00854bc12cfdcce01ad0cbce555c2f91f9c8a59c9b2676
Instruction Fuzzy Hash: 1D900261242545525546F2584444587400797E07457D6C012A141C994C86269A56D621

Function 03C72DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ae7fb7eec0737ec12ef987033e79c4b7efd00d95891b76133ac50854d34c52
Instruction ID: 7959c87dcfcc67f523e0f252bad21bf2d9a84ff1698d7760c0d2f5c30b70b53c
Opcode Fuzzy Hash: 81ae7fb7eec0737ec12ef987033e79c4b7efd00d95891b76133ac50854d34c52
Instruction Fuzzy Hash: FE90027124150802D142B2584444686000A97D0745FD6C012A042C598E87558B56AA61

Function 03C73D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46ec2a0147464cad4034c9c4d070c433b7f3c139742ee6d0835f494873aba4b
Instruction ID: a4e54c3d3dfa140b725c4146d9cd068026ddfd04dcfd731e025f5f08c97a23e4
Opcode Fuzzy Hash: a46ec2a0147464cad4034c9c4d070c433b7f3c139742ee6d0835f494873aba4b
Instruction Fuzzy Hash: 0690027520150802D511B25858446C6004787D0705F96D411A042C59CD87548AA1A121

Function 03C72D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41d002c29a04433801278505445232b55868de5e147a4098f5c61211f679b71
Instruction ID: 62885221928e3cd2a7ab5da937fe13bc1477780380276833fd8c7422276209ae
Opcode Fuzzy Hash: b41d002c29a04433801278505445232b55868de5e147a4098f5c61211f679b71
Instruction Fuzzy Hash: A990026120554842D101B6585448A86000687D0709F96D011A106C5D9DC7358A51A131

Function 03C72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25339b556130a5f8428e76d34de69378d07463e8d35582d339d360ecb0dc9a3e
Instruction ID: 5460a0524fe1d3517a85ca47f531e7c769fc0a721a2bf25b8d0d28aa80b5cc6c
Opcode Fuzzy Hash: 25339b556130a5f8428e76d34de69378d07463e8d35582d339d360ecb0dc9a3e
Instruction Fuzzy Hash: 3E90026921350402D181B258544868A000687D1706FD6D415A001D59CCCA158A695321

Function 03C73D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3ceff87f225040f8ba1ace2eb4a329d84bb13f193e5d06741fdcd4274b7285
Instruction ID: 4372523af7e2bdb675277d268a59b9ca5d73cf12e24d31191b69dbacc6e6fe92
Opcode Fuzzy Hash: 4f3ceff87f225040f8ba1ace2eb4a329d84bb13f193e5d06741fdcd4274b7285
Instruction Fuzzy Hash: AF900271202505429541B3585844ACE410687E1706BD6D415A001D598CCA148A615221

Function 03C72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec5e3fef85bc7883f36a9a81cfc14227ade316a7002492c8551c14abb453eba
Instruction ID: 0d481d4aae41c2ebb2b2afc0bc20a2567cdc09918271c04b78fd940bbf8aa644
Opcode Fuzzy Hash: 2ec5e3fef85bc7883f36a9a81cfc14227ade316a7002492c8551c14abb453eba
Instruction Fuzzy Hash: 5990026130150403D141B25854586864006D7E1705F96D011E041C598CDA158A565222

Function 03C72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639d774944fb959c82529cc5b8109e983852a47e9b5d0778f770922c07bb37d4
Instruction ID: cd9ba0f04ae1f3449004b61af729cef47b508c8a8682916607adc07cd4643fa1
Opcode Fuzzy Hash: 639d774944fb959c82529cc5b8109e983852a47e9b5d0778f770922c07bb37d4
Instruction Fuzzy Hash: 8190026160550802D141B2585458786001687D0705F96D011A002C598DC7598B5566A1

Function 03C72CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322bd08880515d1256ad3188221d8dcd285131f1ee51025be506d6dfcc097f55
Instruction ID: 9d4892514085e924343abae3fedf7e74a1a02e932b6321594537480a6ec83b31
Opcode Fuzzy Hash: 322bd08880515d1256ad3188221d8dcd285131f1ee51025be506d6dfcc097f55
Instruction Fuzzy Hash: EA90027120150803D101B2585548787000687D0705F96D411A042C59CDD7568A516121

Function 03C72CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c374ec641fe403108ad000a50be259319a1438c7b2cafa5904bee78014e7d457
Instruction ID: 1c3bcd2550a7eb90aaf10bf9a51a0c36edeeba2c6e0787d547c5b6f210126d10
Opcode Fuzzy Hash: c374ec641fe403108ad000a50be259319a1438c7b2cafa5904bee78014e7d457
Instruction Fuzzy Hash: C790027120150802D101B69854486C6000687E0705F96D011A502C599EC7658A916131

Function 03C72C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2740e0b13f9f5e04f4fe40e20fc2978b1eeb5632a9198ed2366e80f74479692a
Instruction ID: acc37ffa046e2ec2370b46289f10d2877c31a4f321e0a16c5d262f1a977cdc65
Opcode Fuzzy Hash: 2740e0b13f9f5e04f4fe40e20fc2978b1eeb5632a9198ed2366e80f74479692a
Instruction Fuzzy Hash: 7F90027120150C42D101B2584444BC6000687E0705F96C016A012C698D8715CA517521

Function 03C72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f49764909e6e396c5a00fc965032020b2cfabe2e868c55be8d0337420572be7
Instruction ID: 598963207200d24d0577c0f5483c3fdcfccdafd67aeaeeeddfda3b6d8db47470
Opcode Fuzzy Hash: 7f49764909e6e396c5a00fc965032020b2cfabe2e868c55be8d0337420572be7
Instruction Fuzzy Hash: 5C90027120158C02D111B25884447CA000687D0705F9AC411A442C69CD87958A917121

Function 03C72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 0d3627805aff96901c21ac4bd397b112becf48653099e955831717f6116fc35e
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 03C72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03C7293C
___swprintf_l.LIBCMT ref: 03C7295E
___swprintf_l.LIBCMT ref: 03C729A3
___swprintf_l.LIBCMT ref: 03CAA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 03CAA54E
::%hs%u.%u.%u.%u, xrefs: 03CAA527
:%u.%u.%u.%u, xrefs: 03CAA5B8
ffff:, xrefs: 03CAA504

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 68f4612d5e19820e097fea57aa846fb415acdf13e87fb68241b6f7b7fc2dd38e
Instruction ID: efe65e552ba8c6ba2f1a327fbf350d34c612125bbbb71844f3318db3e6f654ce
Opcode Fuzzy Hash: 68f4612d5e19820e097fea57aa846fb415acdf13e87fb68241b6f7b7fc2dd38e
Instruction Fuzzy Hash: 3951EBB6A04556BFCB10DF9DC99097EF7B8BB08204B188569E8A5DB641D334DF44CBE0

Function 03C67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 03CA4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03CA4655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03CA4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 03CA4787
ExecuteOptions, xrefs: 03CA46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03CA46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03CA4725

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1c6f53650ccb40283799fe10f8040436b39d97cfbb627499b81fb7a745151332
Instruction ID: 06b9f57d481f30b6d1324014d8eb9986d75efd06abc0d947a6222a4263b94bae
Opcode Fuzzy Hash: 1c6f53650ccb40283799fe10f8040436b39d97cfbb627499b81fb7a745151332
Instruction Fuzzy Hash: E8511735A003196ADB25EBA9DCC5FAE73B8AF04308F0804A9D505EF281E770EA419B50

Function 03C7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03C7B6BF

Strings

+, xrefs: 03C7B65A
0, xrefs: 03C7B695
0, xrefs: 03C7B66F
-, xrefs: 03C7B650

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 34d7a80f866803ea96099025eacc2307bae200f9dd0d7ef8311687fdf6967e29
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 7D81AF74E452499EDF28CE69C8917FEBBB5AF45350F1C425AEC61EB390C7349E408B60

Function 03C5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03CA02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03CA02BD
RTL: Re-Waiting, xrefs: 03CA031E

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 80f615509c55bee5a8fbc5557b6c354e971492a0ddee51d2ba228251dccf47b1
Instruction ID: b48dd6e33cae6828f470beb5e4377074818ba2f757c513872737d7287a0a4653
Opcode Fuzzy Hash: 80f615509c55bee5a8fbc5557b6c354e971492a0ddee51d2ba228251dccf47b1
Instruction Fuzzy Hash: 5BE1B031604B42DFD728CF28C884B6AB7E0BB85358F180A5DF9A5CB2D1D775E984CB46

Function 03C6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03CA7B7F
RTL: Resource at %p, xrefs: 03CA7B8E
RTL: Re-Waiting, xrefs: 03CA7BAC

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 91ee4a63170b419d9167b136cf6e3bc633a358f36bed3f03636805aa3cb5f59d
Instruction ID: ec8330e975c7650e24055be146c3fcb55e893f51878979c81df99d1cc1424b3e
Opcode Fuzzy Hash: 91ee4a63170b419d9167b136cf6e3bc633a358f36bed3f03636805aa3cb5f59d
Instruction Fuzzy Hash: 2341E5397047029FC724DE6ADC80B6AB7E9FF84710F140A2DE956DF690DB30E9058B92

Function 03C6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03CA728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03CA7294
RTL: Resource at %p, xrefs: 03CA72A3
RTL: Re-Waiting, xrefs: 03CA72C1

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 841dd5f8802488c8e6727995ca81adc7fb992f5a7badcdbd3b8e057a8c326018
Instruction ID: d9f05128909cebfc15da59a1f08ae3aaf03a5f25a2ffc3fd96c899188efcd288
Opcode Fuzzy Hash: 841dd5f8802488c8e6727995ca81adc7fb992f5a7badcdbd3b8e057a8c326018
Instruction Fuzzy Hash: 3641EE35600B06ABC720DE6ACC81B6AB7A5FB84718F144629F895EB240DB21F9529BD1

Function 03C77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03C77E8B

Strings

-, xrefs: 03C77DDD
+, xrefs: 03C77DE8

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 496ba0ddffc164ef3be77e7d9607d1638b2546ec5716a4f03d6fcad8134fbe6e
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: D491A170E0021E9FDF24DE69CD85ABEB7A5EF44360F18851AEC65EB2C0D7309A418B60

Function 03C39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03C39175
$, xrefs: 03C39191

Memory Dump Source

Source File: 00000002.00000002.1438634394.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: b8b59842621210d6a43b77628b99d3814a5ea1cd71b293743381447bf040af07
Instruction ID: 6f1e881fbeb022f4a0fa1fbfcd48d6c0d75139eebf8b1b87225491d8be405923
Opcode Fuzzy Hash: b8b59842621210d6a43b77628b99d3814a5ea1cd71b293743381447bf040af07
Instruction Fuzzy Hash: 51812B76D002699BDB31DF54CC48BEEB7B8AB08710F0545DAA919FB280D7709E84DFA0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Commercial Invoice Packing list.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bezzo

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Commercial Invoice Packing list.exePID: 3232, Parent PID: 4056

General

Windows Analysis Report
Commercial Invoice Packing list.exe

Function 004175E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042C473 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 03C735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 03C72B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 03C72DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 0042C7C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Function 0042C773 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C813 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 03C72C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE