Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scan_Swift_pdf.exe

Overview

General Information

Sample name:Scan_Swift_pdf.exe
Analysis ID:1523147
MD5:9365ca93e95c781ea713febeab9cf5d4
SHA1:a49e48d497f882186cf5833d6d99623ece64f99e
SHA256:4dc3dca6412cf1394cef6c2fa8d014104bbaa5a4a5b7710a722644fb465aad79
Tags:jaruser-abuse_ch
Infos:

Detection

FormBook
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Scan_Swift_pdf.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\Scan_Swift_pdf.exe" MD5: 9365CA93E95C781EA713FEBEAB9CF5D4)
    • svchost.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\Scan_Swift_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13e3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f023:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17332:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        8.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e223:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16532:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f023:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17332:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", CommandLine: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", ParentImage: C:\Users\user\Desktop\Scan_Swift_pdf.exe, ParentProcessId: 7288, ParentProcessName: Scan_Swift_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", ProcessId: 7752, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", CommandLine: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", ParentImage: C:\Users\user\Desktop\Scan_Swift_pdf.exe, ParentProcessId: 7288, ParentProcessName: Scan_Swift_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scan_Swift_pdf.exe", ProcessId: 7752, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Scan_Swift_pdf.exeReversingLabs: Detection: 36%
          Source: Scan_Swift_pdf.exeVirustotal: Detection: 26%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Scan_Swift_pdf.exeJoe Sandbox ML: detected
          Source: Scan_Swift_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: Scan_Swift_pdf.exe, 00000001.00000003.1325259186.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1326567521.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1325789211.0000000004820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1519640755.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1521533135.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Scan_Swift_pdf.exe, 00000001.00000003.1325259186.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1326567521.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1325789211.0000000004820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000003.1519640755.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1521533135.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp
          Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Scan_Swift_pdf.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042C333 NtClose,8_2_0042C333
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039735C0 NtCreateMutant,LdrInitializeThunk,8_2_039735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972B60 NtClose,LdrInitializeThunk,8_2_03972B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03972DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03974340 NtSetContextThread,8_2_03974340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973090 NtSetValueKey,8_2_03973090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973010 NtOpenDirectoryObject,8_2_03973010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03974650 NtSuspendThread,8_2_03974650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972B80 NtQueryInformationFile,8_2_03972B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972BA0 NtEnumerateValueKey,8_2_03972BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972BF0 NtAllocateVirtualMemory,8_2_03972BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972BE0 NtQueryValueKey,8_2_03972BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972AB0 NtWaitForSingleObject,8_2_03972AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972AD0 NtReadFile,8_2_03972AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972AF0 NtWriteFile,8_2_03972AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039739B0 NtGetContextThread,8_2_039739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972F90 NtProtectVirtualMemory,8_2_03972F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972FB0 NtResumeThread,8_2_03972FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972FA0 NtQuerySection,8_2_03972FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972FE0 NtCreateFile,8_2_03972FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972F30 NtCreateSection,8_2_03972F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972F60 NtCreateProcessEx,8_2_03972F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972E80 NtReadVirtualMemory,8_2_03972E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972EA0 NtAdjustPrivilegesToken,8_2_03972EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972EE0 NtQueueApcThread,8_2_03972EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972E30 NtWriteVirtualMemory,8_2_03972E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972DB0 NtEnumerateKey,8_2_03972DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972DD0 NtDelayExecution,8_2_03972DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972D10 NtMapViewOfSection,8_2_03972D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973D10 NtOpenProcessToken,8_2_03973D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972D00 NtSetInformationFile,8_2_03972D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972D30 NtUnmapViewOfSection,8_2_03972D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973D70 NtOpenThread,8_2_03973D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972CA0 NtQueryInformationToken,8_2_03972CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972CC0 NtQueryVirtualMemory,8_2_03972CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972CF0 NtOpenProcess,8_2_03972CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972C00 NtQueryInformationProcess,8_2_03972C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972C70 NtFreeVirtualMemory,8_2_03972C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972C60 NtCreateKey,8_2_03972C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042E9138_2_0042E913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004029808_2_00402980
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004012008_2_00401200
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004032808_2_00403280
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FD4E8_2_0040FD4E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FD538_2_0040FD53
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004025C08_2_004025C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041669E8_2_0041669E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004166A38_2_004166A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FF738_2_0040FF73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040DFF38_2_0040DFF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0398739A8_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A003E68_2_03A003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F08_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F132D8_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FA3528_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D34C8_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039452A08_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C08_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E02748_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A001AA8_2_03A001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394B1B08_2_0394B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F81CC8_2_039F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA1188_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039301008_2_03930100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0B16B8_2_03A0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F1728_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397516C8_2_0397516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF0CC8_2_039EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C08_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F70E98_2_039F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FF0E08_2_039FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FF7B08_2_039FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393C7C08_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039317EC8_2_039317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039647508_2_03964750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039407708_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F16CC8_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395C6E08_2_0395C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DD5B08_2_039DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A005918_2_03A00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039405358_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F75718_2_039F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EE4F68_2_039EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FF43F8_2_039FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F24468_2_039F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039314608_2_03931460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395FB808_2_0395FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F6BD78_2_039F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397DBF98_2_0397DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFB768_2_039FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA808_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DDAAC8_2_039DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03985AA08_2_03985AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EDAC68_2_039EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFA498_2_039FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F7A468_2_039F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B3A6C8_2_039B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0A9A68_2_03A0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A08_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039499508_2_03949950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B9508_2_0395B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039569628_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039268B88_2_039268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E8F08_2_0396E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039438E08_2_039438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394A8408_2_0394A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941F928_2_03941F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFFB18_2_039FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03932FC88_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394CFE08_2_0394CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFF098_2_039FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03960F308_2_03960F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03982F288_2_03982F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B4F408_2_039B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03952E908_2_03952E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FCE938_2_039FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03949EB08_2_03949EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FEEDB8_2_039FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FEE268_2_039FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940E598_2_03940E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03958DBF8_2_03958DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395FDC08_2_0395FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393ADE08_2_0393ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394AD008_2_0394AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F1D5A8_2_039F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03943D408_2_03943D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F7D738_2_039F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0CB58_2_039E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930CF28_2_03930CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940C008_2_03940C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B9C328_2_039B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 269 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 84 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 86 times
          Source: Scan_Swift_pdf.exe, 00000001.00000003.1325789211.000000000494D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scan_Swift_pdf.exe
          Source: Scan_Swift_pdf.exe, 00000001.00000003.1325259186.00000000047A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scan_Swift_pdf.exe
          Source: Scan_Swift_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Scan_Swift_pdf.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9933030419829222
          Source: classification engineClassification label: mal88.troj.evad.winEXE@3/1@1/0
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\unnervousnessJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Scan_Swift_pdf.exeReversingLabs: Detection: 36%
          Source: Scan_Swift_pdf.exeVirustotal: Detection: 26%
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeFile read: C:\Users\user\Desktop\Scan_Swift_pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_Swift_pdf.exe "C:\Users\user\Desktop\Scan_Swift_pdf.exe"
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scan_Swift_pdf.exe"
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scan_Swift_pdf.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: Scan_Swift_pdf.exe, 00000001.00000003.1325259186.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1326567521.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1325789211.0000000004820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1519640755.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1521533135.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Scan_Swift_pdf.exe, 00000001.00000003.1325259186.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1326567521.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Scan_Swift_pdf.exe, 00000001.00000003.1325789211.0000000004820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000003.1519640755.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1521533135.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040ABAD push esi; ret 8_2_0040ABBD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040ABB3 push esi; ret 8_2_0040ABBD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407477 push eax; iretd 8_2_0040747E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004034F0 push eax; ret 8_2_004034F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00415654 push esp; ret 8_2_00415655
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00401758 push ecx; retf 8_2_00401766
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039309AD push ecx; mov dword ptr [esp], ecx8_2_039309B6
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeAPI/Special instruction interceptor: Address: 4142244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395BBA0 rdtsc 8_2_0395BBA0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7756Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395BBA0 rdtsc 8_2_0395BBA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417653 LdrLoadDll,8_2_00417653
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0398739A mov eax, dword ptr fs:[00000030h]8_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0398739A mov eax, dword ptr fs:[00000030h]8_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928397 mov eax, dword ptr fs:[00000030h]8_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928397 mov eax, dword ptr fs:[00000030h]8_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928397 mov eax, dword ptr fs:[00000030h]8_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E388 mov eax, dword ptr fs:[00000030h]8_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E388 mov eax, dword ptr fs:[00000030h]8_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E388 mov eax, dword ptr fs:[00000030h]8_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395438F mov eax, dword ptr fs:[00000030h]8_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395438F mov eax, dword ptr fs:[00000030h]8_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039533A5 mov eax, dword ptr fs:[00000030h]8_2_039533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039633A0 mov eax, dword ptr fs:[00000030h]8_2_039633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039633A0 mov eax, dword ptr fs:[00000030h]8_2_039633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0539D mov eax, dword ptr fs:[00000030h]8_2_03A0539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EB3D0 mov ecx, dword ptr fs:[00000030h]8_2_039EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EC3CD mov eax, dword ptr fs:[00000030h]8_2_039EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A053FC mov eax, dword ptr fs:[00000030h]8_2_03A053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F0 mov eax, dword ptr fs:[00000030h]8_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F0 mov eax, dword ptr fs:[00000030h]8_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F0 mov eax, dword ptr fs:[00000030h]8_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039663FF mov eax, dword ptr fs:[00000030h]8_2_039663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF3E6 mov eax, dword ptr fs:[00000030h]8_2_039EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C310 mov ecx, dword ptr fs:[00000030h]8_2_0392C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03950310 mov ecx, dword ptr fs:[00000030h]8_2_03950310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B930B mov eax, dword ptr fs:[00000030h]8_2_039B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B930B mov eax, dword ptr fs:[00000030h]8_2_039B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B930B mov eax, dword ptr fs:[00000030h]8_2_039B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A30B mov eax, dword ptr fs:[00000030h]8_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A30B mov eax, dword ptr fs:[00000030h]8_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A30B mov eax, dword ptr fs:[00000030h]8_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03927330 mov eax, dword ptr fs:[00000030h]8_2_03927330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F132D mov eax, dword ptr fs:[00000030h]8_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F132D mov eax, dword ptr fs:[00000030h]8_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395F32A mov eax, dword ptr fs:[00000030h]8_2_0395F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929353 mov eax, dword ptr fs:[00000030h]8_2_03929353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929353 mov eax, dword ptr fs:[00000030h]8_2_03929353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov ecx, dword ptr fs:[00000030h]8_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FA352 mov eax, dword ptr fs:[00000030h]8_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D34C mov eax, dword ptr fs:[00000030h]8_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D34C mov eax, dword ptr fs:[00000030h]8_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A05341 mov eax, dword ptr fs:[00000030h]8_2_03A05341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D437C mov eax, dword ptr fs:[00000030h]8_2_039D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03937370 mov eax, dword ptr fs:[00000030h]8_2_03937370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03937370 mov eax, dword ptr fs:[00000030h]8_2_03937370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03937370 mov eax, dword ptr fs:[00000030h]8_2_03937370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF367 mov eax, dword ptr fs:[00000030h]8_2_039EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396329E mov eax, dword ptr fs:[00000030h]8_2_0396329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396329E mov eax, dword ptr fs:[00000030h]8_2_0396329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E284 mov eax, dword ptr fs:[00000030h]8_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E284 mov eax, dword ptr fs:[00000030h]8_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0283 mov eax, dword ptr fs:[00000030h]8_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0283 mov eax, dword ptr fs:[00000030h]8_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0283 mov eax, dword ptr fs:[00000030h]8_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A05283 mov eax, dword ptr fs:[00000030h]8_2_03A05283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B92BC mov eax, dword ptr fs:[00000030h]8_2_039B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B92BC mov eax, dword ptr fs:[00000030h]8_2_039B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B92BC mov ecx, dword ptr fs:[00000030h]8_2_039B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B92BC mov ecx, dword ptr fs:[00000030h]8_2_039B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402A0 mov eax, dword ptr fs:[00000030h]8_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402A0 mov eax, dword ptr fs:[00000030h]8_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039452A0 mov eax, dword ptr fs:[00000030h]8_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039452A0 mov eax, dword ptr fs:[00000030h]8_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039452A0 mov eax, dword ptr fs:[00000030h]8_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039452A0 mov eax, dword ptr fs:[00000030h]8_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F92A6 mov eax, dword ptr fs:[00000030h]8_2_039F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F92A6 mov eax, dword ptr fs:[00000030h]8_2_039F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F92A6 mov eax, dword ptr fs:[00000030h]8_2_039F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F92A6 mov eax, dword ptr fs:[00000030h]8_2_039F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov ecx, dword ptr fs:[00000030h]8_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C72A0 mov eax, dword ptr fs:[00000030h]8_2_039C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C72A0 mov eax, dword ptr fs:[00000030h]8_2_039C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B2D3 mov eax, dword ptr fs:[00000030h]8_2_0392B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B2D3 mov eax, dword ptr fs:[00000030h]8_2_0392B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B2D3 mov eax, dword ptr fs:[00000030h]8_2_0392B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A052E2 mov eax, dword ptr fs:[00000030h]8_2_03A052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395F2D0 mov eax, dword ptr fs:[00000030h]8_2_0395F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395F2D0 mov eax, dword ptr fs:[00000030h]8_2_0395F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C0 mov eax, dword ptr fs:[00000030h]8_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039392C5 mov eax, dword ptr fs:[00000030h]8_2_039392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039392C5 mov eax, dword ptr fs:[00000030h]8_2_039392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF2F8 mov eax, dword ptr fs:[00000030h]8_2_039EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039292FF mov eax, dword ptr fs:[00000030h]8_2_039292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED mov eax, dword ptr fs:[00000030h]8_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402E1 mov eax, dword ptr fs:[00000030h]8_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402E1 mov eax, dword ptr fs:[00000030h]8_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402E1 mov eax, dword ptr fs:[00000030h]8_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A05227 mov eax, dword ptr fs:[00000030h]8_2_03A05227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03967208 mov eax, dword ptr fs:[00000030h]8_2_03967208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03967208 mov eax, dword ptr fs:[00000030h]8_2_03967208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392823B mov eax, dword ptr fs:[00000030h]8_2_0392823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A250 mov eax, dword ptr fs:[00000030h]8_2_0392A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EB256 mov eax, dword ptr fs:[00000030h]8_2_039EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EB256 mov eax, dword ptr fs:[00000030h]8_2_039EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936259 mov eax, dword ptr fs:[00000030h]8_2_03936259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929240 mov eax, dword ptr fs:[00000030h]8_2_03929240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929240 mov eax, dword ptr fs:[00000030h]8_2_03929240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396724D mov eax, dword ptr fs:[00000030h]8_2_0396724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03959274 mov eax, dword ptr fs:[00000030h]8_2_03959274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03971270 mov eax, dword ptr fs:[00000030h]8_2_03971270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03971270 mov eax, dword ptr fs:[00000030h]8_2_03971270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934260 mov eax, dword ptr fs:[00000030h]8_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934260 mov eax, dword ptr fs:[00000030h]8_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934260 mov eax, dword ptr fs:[00000030h]8_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FD26B mov eax, dword ptr fs:[00000030h]8_2_039FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FD26B mov eax, dword ptr fs:[00000030h]8_2_039FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392826B mov eax, dword ptr fs:[00000030h]8_2_0392826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A197 mov eax, dword ptr fs:[00000030h]8_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A197 mov eax, dword ptr fs:[00000030h]8_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A197 mov eax, dword ptr fs:[00000030h]8_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03970185 mov eax, dword ptr fs:[00000030h]8_2_03970185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EC188 mov eax, dword ptr fs:[00000030h]8_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EC188 mov eax, dword ptr fs:[00000030h]8_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394B1B0 mov eax, dword ptr fs:[00000030h]8_2_0394B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E11A4 mov eax, dword ptr fs:[00000030h]8_2_039E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E11A4 mov eax, dword ptr fs:[00000030h]8_2_039E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E11A4 mov eax, dword ptr fs:[00000030h]8_2_039E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E11A4 mov eax, dword ptr fs:[00000030h]8_2_039E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A061E5 mov eax, dword ptr fs:[00000030h]8_2_03A061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396D1D0 mov eax, dword ptr fs:[00000030h]8_2_0396D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396D1D0 mov ecx, dword ptr fs:[00000030h]8_2_0396D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F61C3 mov eax, dword ptr fs:[00000030h]8_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F61C3 mov eax, dword ptr fs:[00000030h]8_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A051CB mov eax, dword ptr fs:[00000030h]8_2_03A051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039601F8 mov eax, dword ptr fs:[00000030h]8_2_039601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039551EF mov eax, dword ptr fs:[00000030h]8_2_039551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039351ED mov eax, dword ptr fs:[00000030h]8_2_039351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov ecx, dword ptr fs:[00000030h]8_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov eax, dword ptr fs:[00000030h]8_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov eax, dword ptr fs:[00000030h]8_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov eax, dword ptr fs:[00000030h]8_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F0115 mov eax, dword ptr fs:[00000030h]8_2_039F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03931131 mov eax, dword ptr fs:[00000030h]8_2_03931131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03931131 mov eax, dword ptr fs:[00000030h]8_2_03931131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B136 mov eax, dword ptr fs:[00000030h]8_2_0392B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B136 mov eax, dword ptr fs:[00000030h]8_2_0392B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B136 mov eax, dword ptr fs:[00000030h]8_2_0392B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B136 mov eax, dword ptr fs:[00000030h]8_2_0392B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03960124 mov eax, dword ptr fs:[00000030h]8_2_03960124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03937152 mov eax, dword ptr fs:[00000030h]8_2_03937152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C156 mov eax, dword ptr fs:[00000030h]8_2_0392C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936154 mov eax, dword ptr fs:[00000030h]8_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936154 mov eax, dword ptr fs:[00000030h]8_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov ecx, dword ptr fs:[00000030h]8_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929148 mov eax, dword ptr fs:[00000030h]8_2_03929148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929148 mov eax, dword ptr fs:[00000030h]8_2_03929148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929148 mov eax, dword ptr fs:[00000030h]8_2_03929148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929148 mov eax, dword ptr fs:[00000030h]8_2_03929148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F172 mov eax, dword ptr fs:[00000030h]8_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C9179 mov eax, dword ptr fs:[00000030h]8_2_039C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A05152 mov eax, dword ptr fs:[00000030h]8_2_03A05152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03935096 mov eax, dword ptr fs:[00000030h]8_2_03935096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395D090 mov eax, dword ptr fs:[00000030h]8_2_0395D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395D090 mov eax, dword ptr fs:[00000030h]8_2_0395D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396909C mov eax, dword ptr fs:[00000030h]8_2_0396909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393208A mov eax, dword ptr fs:[00000030h]8_2_0393208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D08D mov eax, dword ptr fs:[00000030h]8_2_0392D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F60B8 mov eax, dword ptr fs:[00000030h]8_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F60B8 mov ecx, dword ptr fs:[00000030h]8_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B20DE mov eax, dword ptr fs:[00000030h]8_2_039B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039590DB mov eax, dword ptr fs:[00000030h]8_2_039590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov ecx, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov ecx, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov ecx, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov ecx, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C0 mov eax, dword ptr fs:[00000030h]8_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C0F0 mov eax, dword ptr fs:[00000030h]8_2_0392C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039720F0 mov ecx, dword ptr fs:[00000030h]8_2_039720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039550E4 mov eax, dword ptr fs:[00000030h]8_2_039550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039550E4 mov ecx, dword ptr fs:[00000030h]8_2_039550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0392A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A050D9 mov eax, dword ptr fs:[00000030h]8_2_03A050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039380E9 mov eax, dword ptr fs:[00000030h]8_2_039380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F903E mov eax, dword ptr fs:[00000030h]8_2_039F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F903E mov eax, dword ptr fs:[00000030h]8_2_039F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F903E mov eax, dword ptr fs:[00000030h]8_2_039F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F903E mov eax, dword ptr fs:[00000030h]8_2_039F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A020 mov eax, dword ptr fs:[00000030h]8_2_0392A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C020 mov eax, dword ptr fs:[00000030h]8_2_0392C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A05060 mov eax, dword ptr fs:[00000030h]8_2_03A05060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03932050 mov eax, dword ptr fs:[00000030h]8_2_03932050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D705E mov ebx, dword ptr fs:[00000030h]8_2_039D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D705E mov eax, dword ptr fs:[00000030h]8_2_039D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B052 mov eax, dword ptr fs:[00000030h]8_2_0395B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov ecx, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941070 mov eax, dword ptr fs:[00000030h]8_2_03941070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395C073 mov eax, dword ptr fs:[00000030h]8_2_0395C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF78A mov eax, dword ptr fs:[00000030h]8_2_039EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A037B6 mov eax, dword ptr fs:[00000030h]8_2_03A037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395D7B0 mov eax, dword ptr fs:[00000030h]8_2_0395D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F7BA mov eax, dword ptr fs:[00000030h]8_2_0392F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B97A9 mov eax, dword ptr fs:[00000030h]8_2_039B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BF7AF mov eax, dword ptr fs:[00000030h]8_2_039BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BF7AF mov eax, dword ptr fs:[00000030h]8_2_039BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BF7AF mov eax, dword ptr fs:[00000030h]8_2_039BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BF7AF mov eax, dword ptr fs:[00000030h]8_2_039BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BF7AF mov eax, dword ptr fs:[00000030h]8_2_039BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039307AF mov eax, dword ptr fs:[00000030h]8_2_039307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393C7C0 mov eax, dword ptr fs:[00000030h]8_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039357C0 mov eax, dword ptr fs:[00000030h]8_2_039357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039357C0 mov eax, dword ptr fs:[00000030h]8_2_039357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039357C0 mov eax, dword ptr fs:[00000030h]8_2_039357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039347FB mov eax, dword ptr fs:[00000030h]8_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039347FB mov eax, dword ptr fs:[00000030h]8_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393D7E0 mov ecx, dword ptr fs:[00000030h]8_2_0393D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039527ED mov eax, dword ptr fs:[00000030h]8_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039527ED mov eax, dword ptr fs:[00000030h]8_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039527ED mov eax, dword ptr fs:[00000030h]8_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039317EC mov eax, dword ptr fs:[00000030h]8_2_039317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039317EC mov eax, dword ptr fs:[00000030h]8_2_039317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039317EC mov eax, dword ptr fs:[00000030h]8_2_039317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930710 mov eax, dword ptr fs:[00000030h]8_2_03930710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03960710 mov eax, dword ptr fs:[00000030h]8_2_03960710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396F71F mov eax, dword ptr fs:[00000030h]8_2_0396F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396F71F mov eax, dword ptr fs:[00000030h]8_2_0396F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03937703 mov eax, dword ptr fs:[00000030h]8_2_03937703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03935702 mov eax, dword ptr fs:[00000030h]8_2_03935702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03935702 mov eax, dword ptr fs:[00000030h]8_2_03935702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C700 mov eax, dword ptr fs:[00000030h]8_2_0396C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0B73C mov eax, dword ptr fs:[00000030h]8_2_03A0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0B73C mov eax, dword ptr fs:[00000030h]8_2_03A0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0B73C mov eax, dword ptr fs:[00000030h]8_2_03A0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0B73C mov eax, dword ptr fs:[00000030h]8_2_03A0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929730 mov eax, dword ptr fs:[00000030h]8_2_03929730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03929730 mov eax, dword ptr fs:[00000030h]8_2_03929730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03965734 mov eax, dword ptr fs:[00000030h]8_2_03965734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393973A mov eax, dword ptr fs:[00000030h]8_2_0393973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393973A mov eax, dword ptr fs:[00000030h]8_2_0393973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396273C mov eax, dword ptr fs:[00000030h]8_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396273C mov ecx, dword ptr fs:[00000030h]8_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396273C mov eax, dword ptr fs:[00000030h]8_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AC730 mov eax, dword ptr fs:[00000030h]8_2_039AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF72E mov eax, dword ptr fs:[00000030h]8_2_039EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03933720 mov eax, dword ptr fs:[00000030h]8_2_03933720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394F720 mov eax, dword ptr fs:[00000030h]8_2_0394F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394F720 mov eax, dword ptr fs:[00000030h]8_2_0394F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394F720 mov eax, dword ptr fs:[00000030h]8_2_0394F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F972B mov eax, dword ptr fs:[00000030h]8_2_039F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C720 mov eax, dword ptr fs:[00000030h]8_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C720 mov eax, dword ptr fs:[00000030h]8_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930750 mov eax, dword ptr fs:[00000030h]8_2_03930750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972750 mov eax, dword ptr fs:[00000030h]8_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972750 mov eax, dword ptr fs:[00000030h]8_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B4755 mov eax, dword ptr fs:[00000030h]8_2_039B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03943740 mov eax, dword ptr fs:[00000030h]8_2_03943740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03943740 mov eax, dword ptr fs:[00000030h]8_2_03943740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03943740 mov eax, dword ptr fs:[00000030h]8_2_03943740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396674D mov esi, dword ptr fs:[00000030h]8_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396674D mov eax, dword ptr fs:[00000030h]8_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396674D mov eax, dword ptr fs:[00000030h]8_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938770 mov eax, dword ptr fs:[00000030h]8_2_03938770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A03749 mov eax, dword ptr fs:[00000030h]8_2_03A03749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B765 mov eax, dword ptr fs:[00000030h]8_2_0392B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B765 mov eax, dword ptr fs:[00000030h]8_2_0392B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B765 mov eax, dword ptr fs:[00000030h]8_2_0392B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392B765 mov eax, dword ptr fs:[00000030h]8_2_0392B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934690 mov eax, dword ptr fs:[00000030h]8_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934690 mov eax, dword ptr fs:[00000030h]8_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B368C mov eax, dword ptr fs:[00000030h]8_2_039B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B368C mov eax, dword ptr fs:[00000030h]8_2_039B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B368C mov eax, dword ptr fs:[00000030h]8_2_039B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B368C mov eax, dword ptr fs:[00000030h]8_2_039B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039276B2 mov eax, dword ptr fs:[00000030h]8_2_039276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039276B2 mov eax, dword ptr fs:[00000030h]8_2_039276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039276B2 mov eax, dword ptr fs:[00000030h]8_2_039276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039666B0 mov eax, dword ptr fs:[00000030h]8_2_039666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C6A6 mov eax, dword ptr fs:[00000030h]8_2_0396C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D6AA mov eax, dword ptr fs:[00000030h]8_2_0392D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D6AA mov eax, dword ptr fs:[00000030h]8_2_0392D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A6C7 mov eax, dword ptr fs:[00000030h]8_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393B6C0 mov eax, dword ptr fs:[00000030h]8_2_0393B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393B6C0 mov eax, dword ptr fs:[00000030h]8_2_0393B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393B6C0 mov eax, dword ptr fs:[00000030h]8_2_0393B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393B6C0 mov eax, dword ptr fs:[00000030h]8_2_0393B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393B6C0 mov eax, dword ptr fs:[00000030h]8_2_0393B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393B6C0 mov eax, dword ptr fs:[00000030h]8_2_0393B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F16CC mov eax, dword ptr fs:[00000030h]8_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F16CC mov eax, dword ptr fs:[00000030h]8_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F16CC mov eax, dword ptr fs:[00000030h]8_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F16CC mov eax, dword ptr fs:[00000030h]8_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF6C7 mov eax, dword ptr fs:[00000030h]8_2_039EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039616CF mov eax, dword ptr fs:[00000030h]8_2_039616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B06F1 mov eax, dword ptr fs:[00000030h]8_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B06F1 mov eax, dword ptr fs:[00000030h]8_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039ED6F0 mov eax, dword ptr fs:[00000030h]8_2_039ED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C36EE mov eax, dword ptr fs:[00000030h]8_2_039C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C36EE mov eax, dword ptr fs:[00000030h]8_2_039C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C36EE mov eax, dword ptr fs:[00000030h]8_2_039C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C36EE mov eax, dword ptr fs:[00000030h]8_2_039C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C36EE mov eax, dword ptr fs:[00000030h]8_2_039C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C36EE mov eax, dword ptr fs:[00000030h]8_2_039C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395D6E0 mov eax, dword ptr fs:[00000030h]8_2_0395D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395D6E0 mov eax, dword ptr fs:[00000030h]8_2_0395D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039636EF mov eax, dword ptr fs:[00000030h]8_2_039636EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03933616 mov eax, dword ptr fs:[00000030h]8_2_03933616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03933616 mov eax, dword ptr fs:[00000030h]8_2_03933616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972619 mov eax, dword ptr fs:[00000030h]8_2_03972619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03961607 mov eax, dword ptr fs:[00000030h]8_2_03961607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE609 mov eax, dword ptr fs:[00000030h]8_2_039AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396F603 mov eax, dword ptr fs:[00000030h]8_2_0396F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A05636 mov eax, dword ptr fs:[00000030h]8_2_03A05636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E627 mov eax, dword ptr fs:[00000030h]8_2_0394E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F626 mov eax, dword ptr fs:[00000030h]8_2_0392F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03966620 mov eax, dword ptr fs:[00000030h]8_2_03966620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03968620 mov eax, dword ptr fs:[00000030h]8_2_03968620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393262C mov eax, dword ptr fs:[00000030h]8_2_0393262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394C640 mov eax, dword ptr fs:[00000030h]8_2_0394C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03962674 mov eax, dword ptr fs:[00000030h]8_2_03962674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F866E mov eax, dword ptr fs:[00000030h]8_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F866E mov eax, dword ptr fs:[00000030h]8_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A660 mov eax, dword ptr fs:[00000030h]8_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A660 mov eax, dword ptr fs:[00000030h]8_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03969660 mov eax, dword ptr fs:[00000030h]8_2_03969660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03969660 mov eax, dword ptr fs:[00000030h]8_2_03969660

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F11008Jump to behavior
          Source: C:\Users\user\Desktop\Scan_Swift_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scan_Swift_pdf.exe"Jump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		211
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		211
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
          Obfuscated Files or Information          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Software Packing          		LSA Secrets11
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Scan_Swift_pdf.exe37%ReversingLabsWin32.Trojan.Autoitinject
          Scan_Swift_pdf.exe27%VirustotalBrowse
          Scan_Swift_pdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          198.187.3.20.in-addr.arpa1%VirustotalBrowse

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          198.187.3.20.in-addr.arpa
          		unknown
          		unknowntrueunknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1523147
          Start date and time:2024-10-01 07:31:16 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 35s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:13
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Scan_Swift_pdf.exe
          Detection:MAL
          Classification:mal88.troj.evad.winEXE@3/1@1/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 92%
          • Number of executed functions: 9
          • Number of non-executed functions: 311
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          01:32:33API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\unnervousness

          Download File
          Process:C:\Users\user\Desktop\Scan_Swift_pdf.exe
          File Type:data
          Category:dropped
          Size (bytes):287744
          Entropy (8bit):7.9911438243988995
          Encrypted:true
          SSDEEP:6144:ZLGbZCTGDFQaqs7JgXP1c9eAi/oR0CiZIbsxW9pd+Y7aQjj2BKnjTu:ZLGNH1HegadDxW8Y7aQXA4jTu
          MD5:9E7492FA081CD6A8C8B5556B8D047631
          SHA1:D82BFEEE04E519A67F1D7D1886D9B3F75203E8FF
          SHA-256:63AC8C7DC92A1E7E0BC24900374F24C6FE007E6829D5D2C7A880739134839681
          SHA-512:C34339BF619E61E45005F078FFDF9EBDA2F7D2DBBFBD90589E7E1514DFFC37741586B52AAC4B694BB9B1AB4FE2955B9ADD64EEEBCE963895473FA07C17DC2B4E
          Malicious:false
          Reputation:low
          Preview:~..g.43TU..:.....TV...TO..3TUUXD3WG5D43TUUXD3WG5D43TUUXD.WG5J+.ZU.Q...Fy..g<<&x4A8 G%Y.74;6+Gw%PdFF:u<6dw...)[W1{XUN.WG5D43T,TQ..7 .yTT.h5?.)...~TT.O...7 .^...i5?.a>$]yTT.UUXD3WG5.q3T.TYDV..TD43TUUXD.WE4O58TU.\D3WG5D43TU@XD3GG5DD7TUU.D3GG5D63TSUXD3WG5B43TUUXD3'C5D63TUUXD1W..D4#TUEXD3WW5D$3TUUXD#WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD.#"M043T..\D3GG5Df7TUEXD3WG5D43TUUXD.WGUD43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5D43TUUXD3WG5

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
          Entropy (8bit):7.9917843005908225
          TrID:
          • Win32 Executable (generic) a (10002005/4) 94.59%
          • AutoIt3 compiled script executable (510682/80) 4.83%
          • UPX compressed Win32 Executable (30571/9) 0.29%
          • Win32 EXE Yoda's Crypter (26571/9) 0.25%
          • Generic Win/DOS Executable (2004/3) 0.02%
          File name:Scan_Swift_pdf.exe
          File size:1'037'167 bytes
          MD5:9365ca93e95c781ea713febeab9cf5d4
          SHA1:a49e48d497f882186cf5833d6d99623ece64f99e
          SHA256:4dc3dca6412cf1394cef6c2fa8d014104bbaa5a4a5b7710a722644fb465aad79
          SHA512:8f107829ec47b2a359ce78789bc3050d8ee1801427af33147555e036e0da16387c73eeffa5021270975a6bfc739059256a19a2cee4e28acaee659d635bca858d
          SSDEEP:24576:CD0tM85tbNJjldeYiYwii+X5M30EssAccaGLEk+n9GgMhc8EFEBspuKsPuR:CD0tM85DJjl/ixii+XWZ1crLEtnkgP8u
          TLSH:EC253302B696D6DEF5F38272655E73CD194F5C62AA263F202B6E1C760F18379C3A6043
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

          File Icon

          Icon Hash:4599b5a59919a5d1

          Static PE Info

          General

          Entrypoint:0x4b3b80
          Entrypoint Section:UPX1
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:77b2e5e9b52fbef7638f64ab65f0c58c

          Entrypoint Preview

          Instruction
          pushad
          mov esi, 00472000h
          lea edi, dword ptr [esi-00071000h]
          push edi
          jmp 00007FC5987D1C7Dh
          nop
          mov al, byte ptr [esi]
          inc esi
          mov byte ptr [edi], al
          inc edi
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FC5987D1C5Fh
          mov eax, 00000001h
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc eax, eax
          add ebx, ebx
          jnc 00007FC5987D1C7Dh
          jne 00007FC5987D1C9Ah
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FC5987D1C91h
          dec eax
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc eax, eax
          jmp 00007FC5987D1C46h
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          jmp 00007FC5987D1CC4h
          xor ecx, ecx
          sub eax, 03h
          jc 00007FC5987D1C83h
          shl eax, 08h
          mov al, byte ptr [esi]
          inc esi
          xor eax, FFFFFFFFh
          je 00007FC5987D1CE7h
          sar eax, 1
          mov ebp, eax
          jmp 00007FC5987D1C7Dh
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FC5987D1C3Eh
          inc ecx
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FC5987D1C30h
          add ebx, ebx
          jne 00007FC5987D1C79h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          add ebx, ebx
          jnc 00007FC5987D1C61h
          jne 00007FC5987D1C7Bh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jnc 00007FC5987D1C56h
          add ecx, 02h
          cmp ebp, FFFFFB00h
          adc ecx, 02h
          lea edx, dword ptr [edi+ebp]
          cmp ebp, FFFFFFFCh
          jbe 00007FC5987D1C80h
          mov al, byte ptr [edx]

          Rich Headers

          Programming Language:
          • [ASM] VS2008 SP1 build 30729
          • [ C ] VS2008 SP1 build 30729
          • [C++] VS2008 SP1 build 30729
          • [ C ] VS2005 build 50727
          • [IMP] VS2005 build 50727
          • [ASM] VS2008 build 21022
          • [RES] VS2008 build 21022
          • [LNK] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb68d40x3b0.rsrc
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x28d4.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          UPX00x10000x710000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          UPX10x720000x420000x41e00daa1b585c9629716df299d9d902f001aFalse0.9933030419829222data7.929414128970389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xb40000x30000x2e00e8418930c24385c93192395d60e93f9bFalse0.7455842391304348data6.782930447807714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xb444c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xb45780x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xb46a40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xb47d00x1c94PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9656916347731
          RT_MENU0xad4580x50dataEnglishGreat Britain1.1375
          RT_DIALOG0xad4a80xfcdataEnglishGreat Britain1.0436507936507937
          RT_STRING0xad5a80x530dataEnglishGreat Britain1.0082831325301205
          RT_STRING0xadad80x690dataEnglishGreat Britain1.006547619047619
          RT_STRING0xae1680x43adataEnglishGreat Britain1.010166358595194
          RT_STRING0xae5a80x5fcdataEnglishGreat Britain1.0071801566579635
          RT_STRING0xaeba80x65cdataEnglishGreat Britain1.0067567567567568
          RT_STRING0xaf2080x388dataEnglishGreat Britain1.0121681415929205
          RT_STRING0xaf5900x158dataEnglishUnited States1.0319767441860466
          RT_GROUP_ICON0xb64680x14dataEnglishGreat Britain1.2
          RT_GROUP_ICON0xb64800x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0xb64980x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0xb64b00x14dataEnglishGreat Britain1.25
          RT_VERSION0xb64c80x19cdataEnglishGreat Britain0.5339805825242718
          RT_MANIFEST0xb66680x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

          Imports

          DLLImport
          KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
          ADVAPI32.dllGetAce
          COMCTL32.dllImageList_Remove
          COMDLG32.dllGetSaveFileNameW
          GDI32.dllLineTo
          MPR.dllWNetGetConnectionW
          ole32.dllCoInitialize
          OLEAUT32.dllSafeArrayUnaccessData
          PSAPI.DLLEnumProcesses
          SHELL32.dllDragFinish
          USER32.dllGetDC
          USERENV.dllLoadUserProfileW
          VERSION.dllVerQueryValueW
          WININET.dllFtpOpenFileW
          WINMM.dlltimeGetTime
          WSOCK32.dllrecv

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 1, 2024 07:32:39.685945988 CEST5350789162.159.36.2192.168.2.10
          Oct 1, 2024 07:32:40.144995928 CEST6150653192.168.2.101.1.1.1
          Oct 1, 2024 07:32:40.152681112 CEST53615061.1.1.1192.168.2.10

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 1, 2024 07:32:40.144995928 CEST192.168.2.101.1.1.10x80e7Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 1, 2024 07:32:40.152681112 CEST1.1.1.1192.168.2.100x80e7Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:1
          Start time:01:32:05
          Start date:01/10/2024
          Path:C:\Users\user\Desktop\Scan_Swift_pdf.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Scan_Swift_pdf.exe"
          Imagebase:0x400000
          File size:1'037'167 bytes
          MD5 hash:9365CA93E95C781EA713FEBEAB9CF5D4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:8
          Start time:01:32:11
          Start date:01/10/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Scan_Swift_pdf.exe"
          Imagebase:0x870000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1561948040.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.9%
            Dynamic/Decrypted Code Coverage:6.6%
            Signature Coverage:11%
            Total number of Nodes:91
            Total number of Limit Nodes:7
            execution_graph 76021 424703 76022 42471f 76021->76022 76023 424747 76022->76023 76024 42475b 76022->76024 76025 42c333 NtClose 76023->76025 76031 42c333 76024->76031 76027 424750 76025->76027 76028 424764 76034 42e4d3 RtlAllocateHeap 76028->76034 76030 42476f 76032 42c34d 76031->76032 76033 42c35e NtClose 76032->76033 76033->76028 76034->76030 76041 42f5d3 76044 42e3b3 76041->76044 76047 42c693 76044->76047 76046 42e3cc 76048 42c6b0 76047->76048 76049 42c6c1 RtlFreeHeap 76048->76049 76049->76046 76050 42b913 76051 42b92d 76050->76051 76054 3972df0 LdrInitializeThunk 76051->76054 76052 42b955 76054->76052 76055 424a93 76059 424aac 76055->76059 76056 424b3c 76057 424af4 76058 42e3b3 RtlFreeHeap 76057->76058 76060 424b04 76058->76060 76059->76056 76059->76057 76061 424b37 76059->76061 76062 42e3b3 RtlFreeHeap 76061->76062 76062->76056 76063 42e493 76066 42c643 76063->76066 76065 42e4ae 76067 42c660 76066->76067 76068 42c671 RtlAllocateHeap 76067->76068 76068->76065 76035 413b03 76036 413b23 76035->76036 76038 413b8c 76036->76038 76040 41b253 RtlFreeHeap LdrInitializeThunk 76036->76040 76039 413b82 76040->76039 76069 417653 76070 417677 76069->76070 76071 4176b3 LdrLoadDll 76070->76071 76072 41767e 76070->76072 76071->76072 76073 401bb2 76074 401bba 76073->76074 76077 42fa43 76074->76077 76080 42df83 76077->76080 76081 42dfa9 76080->76081 76090 407653 76081->76090 76083 42dfbf 76084 401ca7 76083->76084 76093 41af43 76083->76093 76086 42dfde 76087 42dff3 76086->76087 76088 42c6e3 ExitProcess 76086->76088 76104 42c6e3 76087->76104 76088->76087 76107 416313 76090->76107 76092 407660 76092->76083 76094 41af6f 76093->76094 76125 41ae33 76094->76125 76097 41af9c 76100 41afa7 76097->76100 76101 42c333 NtClose 76097->76101 76098 41afd0 76098->76086 76099 41afb4 76099->76098 76102 42c333 NtClose 76099->76102 76100->76086 76101->76100 76103 41afc6 76102->76103 76103->76086 76105 42c700 76104->76105 76106 42c70e ExitProcess 76105->76106 76106->76084 76108 41632c 76107->76108 76110 416345 76108->76110 76111 42cd63 76108->76111 76110->76092 76113 42cd7d 76111->76113 76112 42cdac 76112->76110 76113->76112 76118 42b963 76113->76118 76116 42e3b3 RtlFreeHeap 76117 42ce1a 76116->76117 76117->76110 76119 42b97d 76118->76119 76122 3972c0a 76119->76122 76120 42b9a9 76120->76116 76123 3972c11 76122->76123 76124 3972c1f LdrInitializeThunk 76122->76124 76123->76120 76124->76120 76126 41ae4d 76125->76126 76130 41af29 76125->76130 76131 42ba03 76126->76131 76129 42c333 NtClose 76129->76130 76130->76097 76130->76099 76132 42ba1d 76131->76132 76135 39735c0 LdrInitializeThunk 76132->76135 76133 41af1d 76133->76129 76135->76133 76136 3972b60 LdrInitializeThunk

            Executed Functions

            Function 00417653 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 54 417653-41766f 55 417677-41767c 54->55 56 417672 call 42f0b3 54->56 57 417682-417690 call 42f6b3 55->57 58 41767e-417681 55->58 56->55 61 4176a0-4176b1 call 42da53 57->61 62 417692-41769d call 42f953 57->62 67 4176b3-4176c7 LdrLoadDll 61->67 68 4176ca-4176cd 61->68 62->61 67->68
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176C5
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 98eced4371543c88b8936ebc77b0720b60f507ae4c84dfee4b3ff002cccce43c
            • Instruction ID: 892959356603833123e1c71540ef2e5d09206650632d8e43e8514516b00065a3
            • Opcode Fuzzy Hash: 98eced4371543c88b8936ebc77b0720b60f507ae4c84dfee4b3ff002cccce43c
            • Instruction Fuzzy Hash: 5C0171B2E0020DBBDF10DBE5DC42FDEB7789B54308F4081AAE90897241F634EB598B95
            Function 0042C333 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 79 42c333-42c36c call 404993 call 42d543 NtClose
            APIs
            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C367
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: c253ba5626deb7eecf88775f9a9b5acb02255364b3fd36f80c1dfc940615c145
            • Instruction ID: f76d2b7edd7b4b746de9e2cfaadf3b0e67f654803069f6f876bdab61643147d2
            • Opcode Fuzzy Hash: c253ba5626deb7eecf88775f9a9b5acb02255364b3fd36f80c1dfc940615c145
            • Instruction Fuzzy Hash: B3E04F766402147BD620EB6ADC01F9B776CDBC9714F40442AFA08A7182C674B90086E4
            Function 039735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 95 39735c0-39735cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 4be9a3a027b1213746c62ef976b0f763c22a985be547b845e1c0e620e8c3881e
            • Instruction ID: 4497bbe5aac9f59624acf363cc827cabf1ee1e51e0668e8625c02bc64c62714c
            • Opcode Fuzzy Hash: 4be9a3a027b1213746c62ef976b0f763c22a985be547b845e1c0e620e8c3881e
            • Instruction Fuzzy Hash: 7F90023160960802E100B2584558746104A87D0301FA5C411A042456CD87958A5165B2
            Function 03972B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 93 3972b60-3972b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 151f3ac5a8fa9762a6db999dbb57c66b435b333a2df877fb69d40c93a2a89f20
            • Instruction ID: 22c36522434eb6944a2960d28ddf6e72643fa080337c264e3b10282863818cec
            • Opcode Fuzzy Hash: 151f3ac5a8fa9762a6db999dbb57c66b435b333a2df877fb69d40c93a2a89f20
            • Instruction Fuzzy Hash: 99900261206504035105B2584458656404F87E0301B95C021E1014594DC62589916135
            Function 03972DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 94 3972df0-3972dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 59c4f21452b4794254a7616726d19b579ffa29b915d72d3bd7481c6705e45172
            • Instruction ID: 0f3c359a53053e280df62dd54102a81f1997600eb213e6536177792b7b24990b
            • Opcode Fuzzy Hash: 59c4f21452b4794254a7616726d19b579ffa29b915d72d3bd7481c6705e45172
            • Instruction Fuzzy Hash: 7290023120550813E111B2584548747004E87D0341FD5C412A042455CD97568A52A131
            Function 0042C643 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 69 42c643-42c687 call 404993 call 42d543 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0041E3D1,?,?,00000000,?,0041E3D1,?,?,?), ref: 0042C682
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 61d4f8c076ad4c1a884c16ea6189318a6020c21840bc9b2a53b4630d53a2b431
            • Instruction ID: a4d943de917b46e24c7129a43ed36b9e2968cb6968e3c69bf40b565ba00b0cef
            • Opcode Fuzzy Hash: 61d4f8c076ad4c1a884c16ea6189318a6020c21840bc9b2a53b4630d53a2b431
            • Instruction Fuzzy Hash: F3E0EDB16442157BD614EF99EC41FAB77ACEFC9714F404429FA08A7242DA70BD10C7B9
            Function 0042C693 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 74 42c693-42c6d7 call 404993 call 42d543 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,00416ECD,000000F4), ref: 0042C6D2
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: aa325a07f3c3d181f1d3e58923e691fc5f8f1353cb4603d5c4d13caa4e3d4759
            • Instruction ID: 3b9590067691d0d5cff8fdedf5211defcc27a14c0dc3bb737c57f02617d16efe
            • Opcode Fuzzy Hash: aa325a07f3c3d181f1d3e58923e691fc5f8f1353cb4603d5c4d13caa4e3d4759
            • Instruction Fuzzy Hash: 66E092B16042147BD610EF59EC41FAB33ACEFC8714F004029FA08A7241D770BD1087B8
            Function 0042C6E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 84 42c6e3-42c71c call 404993 call 42d543 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 88790c67740fc6575a7fa2231eea282f7509b3e8f150cd1289510054a3044193
            • Instruction ID: f28e34e9f44c0f1d219c41e05be5e2b8ffcfe28a2d5b706d76407a2867ddb17f
            • Opcode Fuzzy Hash: 88790c67740fc6575a7fa2231eea282f7509b3e8f150cd1289510054a3044193
            • Instruction Fuzzy Hash: 10E046766002247BDA20AA6AEC41F9F77ACDBC5714F40442AFA08A7241C7B1BA0186E4
            Function 03972C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 89 3972c0a-3972c0f 90 3972c11-3972c18 89->90 91 3972c1f-3972c26 LdrInitializeThunk 89->91
            APIs
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: fea47fb81015302c2983c049f450e4ff34636386537b9d3f34eba3efdfd9624c
            • Instruction ID: f1adfedf48a7cdca55495524b5188a0c29a4bede56addcfdf41bc260ae88798b
            • Opcode Fuzzy Hash: fea47fb81015302c2983c049f450e4ff34636386537b9d3f34eba3efdfd9624c
            • Instruction Fuzzy Hash: F0B09B719055C5C5EA11F760460C717794D67D0741F5DC4A1D3430645E4739C1D1E175

            Non-executed Functions

            Function 039B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: 50bc9ae0f48d6d5354d423fa5a1631bdd8d0cda1e1831f028af4c44d76b6c4c3
            • Instruction ID: d69db52b551a866e5df470c44937dedfa463479ddbd1a340b7523583f381ba76
            • Opcode Fuzzy Hash: 50bc9ae0f48d6d5354d423fa5a1631bdd8d0cda1e1831f028af4c44d76b6c4c3
            • Instruction Fuzzy Hash: 50925A75608745ABE721DF24C984BABB7F8FB84750F084D2DFA949B290D770E844CB92
            Function 039268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: 5edcd0e38d4fff0ac3399761b930d7a5ad8722fbed8d36129aa6de78efa8f84d
            • Instruction ID: 7fbacab84817d7704f8f1d7b9a3d2926bc497d31a956f275380635e838afc33a
            • Opcode Fuzzy Hash: 5edcd0e38d4fff0ac3399761b930d7a5ad8722fbed8d36129aa6de78efa8f84d
            • Instruction Fuzzy Hash: 768111B2D026196F8B51FBA8DDC0EEEB7BDEF55610B054522B910FB114E720ED058BA0
            Function 03968620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
            Download Yara Rule
            Strings
            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 039A540A, 039A5496, 039A5519
            • Invalid debug info address of this critical section, xrefs: 039A54B6
            • Critical section address, xrefs: 039A5425, 039A54BC, 039A5534
            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 039A54E2
            • undeleted critical section in freed memory, xrefs: 039A542B
            • Critical section address., xrefs: 039A5502
            • IrwIrw@4rw@4rw, xrefs: 039A5341, 039A534D
            • Critical section debug info address, xrefs: 039A541F, 039A552E
            • Address of the debug info found in the active list., xrefs: 039A54AE, 039A54FA
            • double initialized or corrupted critical section, xrefs: 039A5508
            • Thread identifier, xrefs: 039A553A
            • corrupted critical section, xrefs: 039A54C2
            • 8, xrefs: 039A52E3
            • Thread is in a state in which it cannot own a critical section, xrefs: 039A5543
            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 039A54CE
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$IrwIrw@4rw@4rw
            • API String ID: 0-3353328696
            • Opcode ID: 740501b9b2a64203f38ae1932668469de334c5d351b6f2527179ad5c5bef8b8d
            • Instruction ID: 73084797cd128bf1abbc5770032479d36276c20d40930c0f1d1a58e547873fbd
            • Opcode Fuzzy Hash: 740501b9b2a64203f38ae1932668469de334c5d351b6f2527179ad5c5bef8b8d
            • Instruction Fuzzy Hash: 7681D1B1A04758EFDB20CF98C840BAEBBF9FB89704F154259F554BB281D771A941CBA0
            Function 03960F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: e0b1aad7e2b9fd42c1a7d076c190ee895ca8070cea7b0238c9fd143de6441800
            • Instruction ID: 21e4bf5d582eac5a4e276c6925974c8f8397557e9cb632578b50e3259aaca604
            • Opcode Fuzzy Hash: e0b1aad7e2b9fd42c1a7d076c190ee895ca8070cea7b0238c9fd143de6441800
            • Instruction Fuzzy Hash: 9D629FB5E016298FDB24CF1CC8417A9B7BAEF95360F5982DAD449AB240D7325ED1CF80
            Function 039E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: 5167f6a81a6183c69b45873b77b0dd8a22568d1f86d60d0e40f1ead1f96cf4ca
            • Instruction ID: 1c024a9ea3ccf5192aa96eb891e1383d42b6b6c58df1b15af6d09ba852d58db6
            • Opcode Fuzzy Hash: 5167f6a81a6183c69b45873b77b0dd8a22568d1f86d60d0e40f1ead1f96cf4ca
            • Instruction Fuzzy Hash: E312DD75600642EFD726DF28C481BBAFBF9FF49754F088859E4968B682D734E880DB50
            Function 0394AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: 79fc397ecae70e2db6411389e29d53a91f00c3a9872916e771dc416507c03429
            • Instruction ID: baec7210b9d3e513a94074c270a8f43f3eba09356d6c9469cf8b738834d7e216
            • Opcode Fuzzy Hash: 79fc397ecae70e2db6411389e29d53a91f00c3a9872916e771dc416507c03429
            • Instruction Fuzzy Hash: 8F12DD71A093418FE724DF28C840FAAB7E8FF85744F08095EF8959B291E774D945CB92
            Function 0392D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: e102a38dae7f9ff260428d1d252219b06a6bc88e79c8cc9be1acd70992288272
            • Instruction ID: ec1b09944660083fa98528a3aa86803761a79f5abcc09dfbaa3f256e8adbfb00
            • Opcode Fuzzy Hash: e102a38dae7f9ff260428d1d252219b06a6bc88e79c8cc9be1acd70992288272
            • Instruction Fuzzy Hash: D0B1AC725087659FC721EF24C480A6FBBE8AFC8794F054D2EF899DB244D770D9448B92
            Function 039E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: a42e3e9430f80836242582793caaa0eea7b67dd24e2b1b44a869118f27fc5ef6
            • Instruction ID: 0c17a563ca437ce2ea9a6f8e318728a1977f3964aae0cebe7743cf5b6d64ebd0
            • Opcode Fuzzy Hash: a42e3e9430f80836242582793caaa0eea7b67dd24e2b1b44a869118f27fc5ef6
            • Instruction Fuzzy Hash: DEF11435A00756EFCB26DF6AC480BAAFBF9FF09714F088459E4859B242C774A985CB50
            Function 039C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
            • API String ID: 0-3063724069
            • Opcode ID: 840370fc35932bfd8a785be3e6fc46f5d1a2f2e04053156e8f3228e46a052090
            • Instruction ID: e18c3f418c9a65b67b414e116ae047e4954141a1259a56dbe1579f3512e2e924
            • Opcode Fuzzy Hash: 840370fc35932bfd8a785be3e6fc46f5d1a2f2e04053156e8f3228e46a052090
            • Instruction Fuzzy Hash: 48D1D472814395AFD721EB64C841BAFB7ECAFC4754F05492DFA84AB290D770C9448BA3
            Function 039E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: dea38113257449c34e3d44f597cc27254b967e2a8ff9236c64ffa144da7dd48f
            • Instruction ID: c61e003230c1e32b974cefe1a5427767954135faf23482bbcdaf96b0185dfd35
            • Opcode Fuzzy Hash: dea38113257449c34e3d44f597cc27254b967e2a8ff9236c64ffa144da7dd48f
            • Instruction Fuzzy Hash: F2D1EE7A604B85DFCB22EF6AC440AAEFBF5FF8A714F088049E4559B352D7B49941CB10
            Function 0392D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0392D262
            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0392D196
            • @, xrefs: 0392D313
            • @, xrefs: 0392D2AF
            • @, xrefs: 0392D0FD
            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0392D146
            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0392D0CF
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0392D2C3
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
            • API String ID: 0-1356375266
            • Opcode ID: 3f46bb8ae432d167cc08f66682e4d080320dd69dcf273fe5d29ed729f6d9473b
            • Instruction ID: bd944fc1e1ba1b81a1b83fa7a6f266c53f6c3de38ee6a55ad6e283d16d9aef1e
            • Opcode Fuzzy Hash: 3f46bb8ae432d167cc08f66682e4d080320dd69dcf273fe5d29ed729f6d9473b
            • Instruction Fuzzy Hash: D1A17A719087569FD721DF24C484BABBBE8BFC4755F004D2EE5A89A280E774D908CF92
            Function 03949EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
            Download Yara Rule
            Strings
            • Status != STATUS_NOT_FOUND, xrefs: 0399789A
            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03997709
            • @, xrefs: 03949EE7
            • minkernel\ntdll\sxsisol.cpp, xrefs: 03997713, 039978A4
            • sxsisol_SearchActCtxForDllName, xrefs: 039976DD
            • Internal error check failed, xrefs: 03997718, 039978A9
            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 039976EE
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
            • API String ID: 0-761764676
            • Opcode ID: 61f8fbdc420b213a9a64372d64dc7f00a55058670219d583989346ca19640251
            • Instruction ID: 8e4d4c518901c977cbe433ad1de35ca4fc5dfbaa4847ece7a74e5206e0ce0421
            • Opcode Fuzzy Hash: 61f8fbdc420b213a9a64372d64dc7f00a55058670219d583989346ca19640251
            • Instruction Fuzzy Hash: 26127E749002199FDF24DF98C881EAEB7B8FF48754F1984AAE845EB241E7349C41CB65
            Function 0393EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: 90b3c50b672d8755f4335478d7281eb2dbe7f0234314d35b94f107fb10bc0e73
            • Instruction ID: f902200167a36ad5664c1c2b6e1b7a0fad3bc94432525ff73139bf55156be90f
            • Opcode Fuzzy Hash: 90b3c50b672d8755f4335478d7281eb2dbe7f0234314d35b94f107fb10bc0e73
            • Instruction Fuzzy Hash: C5A229B5E056298FDF65DF19CD887A9B7B9AF45344F1442EAD80EA7250DB309E81CF00
            Function 0392F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: 366ee5c764b8e1c3debe1ebac56c192ba65d400aa6e0f03e00cf2a0da913b373
            • Instruction ID: f0d2e8f91c9f750e84d9ed57f35e7c203faab3c2a16ae277680c9c83655df081
            • Opcode Fuzzy Hash: 366ee5c764b8e1c3debe1ebac56c192ba65d400aa6e0f03e00cf2a0da913b373
            • Instruction Fuzzy Hash: E342FD35608B919FC715EF28C894A2AFBE9FFC9344F08496DE4868B395D730D845CB52
            Function 0393ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
            • API String ID: 0-4098886588
            • Opcode ID: 5f58fbd99224e8127a0621975fdcf4040e6b818361bb235a0121beb3f9aa0b92
            • Instruction ID: f6f45883220297e7f1b8a51c5e87c1ba9377169197298acb706c4744bb2b9340
            • Opcode Fuzzy Hash: 5f58fbd99224e8127a0621975fdcf4040e6b818361bb235a0121beb3f9aa0b92
            • Instruction Fuzzy Hash: 183283B5D04269CBEF21CF58CC94BEEB7B9AF46380F1841EAE449A7250D7719E818F40
            Function 0394B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: 945415cc767e622cca97fbaabe4ee2ce603723b508432c79fd70cfd030a70a05
            • Instruction ID: a1e0ec0f358c0617c66b5aa66f65acbe8cf5ea8eddee7c97b4966aa368e85e23
            • Opcode Fuzzy Hash: 945415cc767e622cca97fbaabe4ee2ce603723b508432c79fd70cfd030a70a05
            • Instruction Fuzzy Hash: F7C15A31A05315AFDF24CF69C891FBEB7A9AF86350F184569E8869F2C1E7B4C844C390
            Function 039663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: ba004e2b9ecff75c75ca8ba146d508fe05765f8ef5fa08f4d0dbb8e3343578ba
            • Instruction ID: ae47bf5286a47b9938d7bd1c3c439428b9ceb94e1743923422269e7a8cb349f4
            • Opcode Fuzzy Hash: ba004e2b9ecff75c75ca8ba146d508fe05765f8ef5fa08f4d0dbb8e3343578ba
            • Instruction Fuzzy Hash: 92912835A01B149FDB34EF1DD845BBEB7A8FB92B64F140669E8106B781D7B49802C7D0
            Function 0396C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • Unable to build import redirection Table, Status = 0x%x, xrefs: 039A81E5
            • minkernel\ntdll\ldrredirect.c, xrefs: 039A8181, 039A81F5
            • LdrpInitializeProcess, xrefs: 0396C6C4
            • Loading import redirection DLL: '%wZ', xrefs: 039A8170
            • minkernel\ntdll\ldrinit.c, xrefs: 0396C6C3
            • LdrpInitializeImportRedirection, xrefs: 039A8177, 039A81EB
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-475462383
            • Opcode ID: b1b0b23647474cc58591791cc5fef1267e2a265016336a2ab174896076c0109b
            • Instruction ID: b608b8714d67b0814bf561a7171f2fb0c8608fa2bf8532b47960625313f69b8e
            • Opcode Fuzzy Hash: b1b0b23647474cc58591791cc5fef1267e2a265016336a2ab174896076c0109b
            • Instruction Fuzzy Hash: 7731F3757447059FD220FF2CDD45E2AB7A4EFC5B50F040A58F885AF291E620EC05CBA2
            Function 03962674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • SXS: %s() passed the empty activation context, xrefs: 039A2165
            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 039A219F
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 039A21BF
            • RtlGetAssemblyStorageRoot, xrefs: 039A2160, 039A219A, 039A21BA
            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 039A2178
            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 039A2180
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
            • API String ID: 0-861424205
            • Opcode ID: e3c66234572aadfc3582d9606aa12082e9a9e186e89204fdb68c86f0af20dd45
            • Instruction ID: 28411c707f380f2b1a793c86dc8e71d284bce08009be03d6f718a18b70fe90f4
            • Opcode Fuzzy Hash: e3c66234572aadfc3582d9606aa12082e9a9e186e89204fdb68c86f0af20dd45
            • Instruction Fuzzy Hash: 32310636E422197BE721CB9D8C85F6FB778DBD4A80F094969FA457B141D270EA00C6E1
            Function 039B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
            • API String ID: 0-3127649145
            • Opcode ID: 71a3f1663667d152713a37a10102a98826cd34309afd2a3cf1589f992ce36b92
            • Instruction ID: 4d0ef96b20a9a9dedf705d61f5c272726816a8156440d963a521485bd430d0f9
            • Opcode Fuzzy Hash: 71a3f1663667d152713a37a10102a98826cd34309afd2a3cf1589f992ce36b92
            • Instruction Fuzzy Hash: 3B325975A017199BDB61DF65CD88BDAB7F8FF88300F1045EAD509AB290DB70AA84CF50
            Function 03949950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: 270823486fc79695e1506c7f5de9362ff6f055cc4021cc6e8e845cb32fd78380
            • Instruction ID: f181a85b86a26cd5d6ef6db05c6b675a33d3f00284a4da541fa83367c8c63e65
            • Opcode Fuzzy Hash: 270823486fc79695e1506c7f5de9362ff6f055cc4021cc6e8e845cb32fd78380
            • Instruction Fuzzy Hash: 9B024975908342CFD720CF68C184B6BF7E9BF89744F49895EE9998B250E770D844CB92
            Function 039551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
            Download Yara Rule
            Strings
            • Kernel-MUI-Number-Allowed, xrefs: 03955247
            • Kernel-MUI-Language-Disallowed, xrefs: 03955352
            • Kernel-MUI-Language-Allowed, xrefs: 0395527B
            • Kernel-MUI-Language-SKU, xrefs: 0395542B
            • WindowsExcludedProcs, xrefs: 0395522A
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 7b21b0bff3af2fa5fe8fcb0474c0a8908bc2a5577d85ae6c82ef84479778dfc5
            • Instruction ID: 093a0feb1c746ff0139e29a94a4627bd4a1e8bd679b0b23949cd715cc1e9a9a0
            • Opcode Fuzzy Hash: 7b21b0bff3af2fa5fe8fcb0474c0a8908bc2a5577d85ae6c82ef84479778dfc5
            • Instruction Fuzzy Hash: 33F17C76D10218EFCF11DFA8C980AEEBBFDEF49650F15405AE902AB251E7749E41CB90
            Function 039B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: 974b3736cb84f8b98e83da2e522c83a669bf2bf8feaa6b0139ec4f063bc9a116
            • Instruction ID: b5343e6ab71fabad4c28f93f8dc6f185b94b3e55d35f098effc7601ec4ead5d9
            • Opcode Fuzzy Hash: 974b3736cb84f8b98e83da2e522c83a669bf2bf8feaa6b0139ec4f063bc9a116
            • Instruction Fuzzy Hash: DF91C176D006199BCB20CFA9C981AFEB7B4EF89350F5A4169E814EB390D735D901CB90
            Function 0395D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1975516107
            • Opcode ID: 68827f74fba6ad8ef6f54941bf2703fbd1261035921ee1d7b180d965d62103e2
            • Instruction ID: f9044f39895588b03157a32c38323d1c6fb76a7d81246410425b4fe155656834
            • Opcode Fuzzy Hash: 68827f74fba6ad8ef6f54941bf2703fbd1261035921ee1d7b180d965d62103e2
            • Instruction Fuzzy Hash: DA510275E00345DFDB24EFA8C4847AEFBB1FF89354F284159E9016B2A1D774A882CB90
            Function 039276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
            • API String ID: 0-3061284088
            • Opcode ID: 37539a475c3b15bff2d05f8f97e66999c80ea334abc5e19387009d2c68efcb86
            • Instruction ID: 67471ce55b15fcfcf1c1b5e9eec154914e14dc272095d84ad1aba7106193a26e
            • Opcode Fuzzy Hash: 37539a475c3b15bff2d05f8f97e66999c80ea334abc5e19387009d2c68efcb86
            • Instruction Fuzzy Hash: DB014C3B108B60DED329F71DD409F6ABBD8DFC2B74F1D4049E0104B596CAE49C80D520
            Function 039470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 5df9ed0176938d0908c0ca16406b0f00b2632773bdac5ecdc969a6bd642d8caa
            • Instruction ID: ce30089ab455b73aace4f33b8cb22b306f5f665cf3870f6f8b7233e47c5b5e66
            • Opcode Fuzzy Hash: 5df9ed0176938d0908c0ca16406b0f00b2632773bdac5ecdc969a6bd642d8caa
            • Instruction Fuzzy Hash: 6713DF70A04659CFDB28CF68C490BA9FBF5FF49304F1885A9D859AB381D735A942CF90
            Function 039429A0 Relevance: 6.0, Strings: 4, Instructions: 966COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-3126994380
            • Opcode ID: 0a80864498bd3abe2fb1201a7ff17cccdbe854802de162223bb48250ed8ed077
            • Instruction ID: cd2441026bb131ba493d6fe1e6cadca93226ab5b6fe7afa862be4b2ba6256021
            • Opcode Fuzzy Hash: 0a80864498bd3abe2fb1201a7ff17cccdbe854802de162223bb48250ed8ed077
            • Instruction Fuzzy Hash: E392CD75E042499FDB25CF68C480BAEBBF5FF49300F188899E899AB391D735A941CF50
            Function 03941070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
            • API String ID: 0-3570731704
            • Opcode ID: 8aa4431c1afc034506716ed139fd11adde7c88452b4ca7b295f29188a7a6b3da
            • Instruction ID: d525a2de2e89a1ded9d23f29ad01d4e1bfb7e17301b6ac2dbf5867298fa34301
            • Opcode Fuzzy Hash: 8aa4431c1afc034506716ed139fd11adde7c88452b4ca7b295f29188a7a6b3da
            • Instruction Fuzzy Hash: D3924875A01229CFEB25DF18C840FAAB7B9BF45354F0981EAD949AB390D7349E80CF51
            Function 03931460 Relevance: 5.4, Strings: 4, Instructions: 385COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-2084224854
            • Opcode ID: c227c4f6d90d5d715f526fb7f8f934e4b2a29ca8d1c56b8d58187de07b2a95dc
            • Instruction ID: ea3429ae49d967ce2a77ffc3e537ff95feb939bf82b375acd1a529317c0d8d07
            • Opcode Fuzzy Hash: c227c4f6d90d5d715f526fb7f8f934e4b2a29ca8d1c56b8d58187de07b2a95dc
            • Instruction Fuzzy Hash: 17E100B0A046459FDB29EF6CC441B7ABBF9EF8A344F18885DE4978B255E734E840CB50
            Function 0394A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03997D03
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03997D56
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03997D39
            • SsHd, xrefs: 0394A885
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: 341ad997befef03c940dab764d8416383b9c272f334c27f9110655ad8f078ada
            • Instruction ID: 0c0eca2387e668e7eca2b20e86c93240180fd7a79650f85fe59eeff778676009
            • Opcode Fuzzy Hash: 341ad997befef03c940dab764d8416383b9c272f334c27f9110655ad8f078ada
            • Instruction Fuzzy Hash: 08D18D76A402199FDF24CF98C9C0AADF7BAFF48350F19406AE845AB351E771D981CB90
            Function 03943D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 7557a47c63ee2f342d2382b84a906113ca4f64453a47872ffd2808fdde0d352e
            • Instruction ID: 1a98eec4dc1794e7af7388f05b05110da2a07b5681213ebaff24a1c26ecfa319
            • Opcode Fuzzy Hash: 7557a47c63ee2f342d2382b84a906113ca4f64453a47872ffd2808fdde0d352e
            • Instruction Fuzzy Hash: 33E2AF74A006559FDB28CF6AC490BAEFBF5FF49304F1881A9D849AB385D734A845CF90
            Function 0393A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: 581af7cf39f7d28f843e32622fb8c077c54a9b2d9de7aec59afcfbf85182fb09
            • Instruction ID: d39939320f7ccfb33abb86ae383580ed3b1cb6745ecf55f4ae5f52aaeb3eb167
            • Opcode Fuzzy Hash: 581af7cf39f7d28f843e32622fb8c077c54a9b2d9de7aec59afcfbf85182fb09
            • Instruction Fuzzy Hash: 6FC188B52083869FDB11DF18C444B6AB7E8BF86744F044D6AF8D68B290E735C949CB52
            Function 03940C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 039955AE
            • HEAP: , xrefs: 039954E0, 039955A1
            • HEAP[%wZ]: , xrefs: 039954D1, 03995592
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 039954ED
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 33c93bd3441c00ae3aa74d2321d0ebdaca68b9b170ede265e87114ad89075ddb
            • Instruction ID: da0fcb60e85f5cfa47f5a3298e98722ab9f6fdc916b840b748557e490c815144
            • Opcode Fuzzy Hash: 33c93bd3441c00ae3aa74d2321d0ebdaca68b9b170ede265e87114ad89075ddb
            • Instruction Fuzzy Hash: EBA1F175604705DFDB24DF28C840BBAFBE9AF85304F188969D59A8B786D730E844CB91
            Function 0396273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • SXS: %s() passed the empty activation context, xrefs: 039A21DE
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 039A22B6
            • .Local, xrefs: 039628D8
            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 039A21D9, 039A22B1
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
            • API String ID: 0-1239276146
            • Opcode ID: 89dde5d5ce70890d450f283dd7cc567bc168c1ed35cacb691338638f9f17b6ee
            • Instruction ID: 7e4962f4ea1cf0eb1bab7db506c99623977414be242232fe87093935aca4fa8a
            • Opcode Fuzzy Hash: 89dde5d5ce70890d450f283dd7cc567bc168c1ed35cacb691338638f9f17b6ee
            • Instruction Fuzzy Hash: C1A1A43590122DDFDB24CF54DD84BA9B3B9BF98354F1949E9D888AB251D7309E80CF90
            Function 0392F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
            • API String ID: 0-2586055223
            • Opcode ID: 86249a2a315219e9b317f5989cd780011594e3d54739eb1ad6128ae3fe29b9b0
            • Instruction ID: 44747b55e7b16a9fe183e4f549ed1e46db4cddefe70eea45fbd0c37e554b912f
            • Opcode Fuzzy Hash: 86249a2a315219e9b317f5989cd780011594e3d54739eb1ad6128ae3fe29b9b0
            • Instruction Fuzzy Hash: C9610376205B849FD722EB28C854F67BBECEFC0754F080869F9568B291D734D941CB61
            Function 039E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
            • API String ID: 0-336120773
            • Opcode ID: 5ef3c558f38f989777f4b3b11caae07763a3a9a4ed6b22fd6ba4fa0ba25cb207
            • Instruction ID: 33569bba451c2f4867b4e983b1de45615317c415774c34517bab1ff201c0ac0c
            • Opcode Fuzzy Hash: 5ef3c558f38f989777f4b3b11caae07763a3a9a4ed6b22fd6ba4fa0ba25cb207
            • Instruction Fuzzy Hash: 1F31023A200620EFC712DB98CC85F6AB7E8EF89764F180555F451DB395D670EC40DA65
            Function 03929148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
            • API String ID: 0-1391187441
            • Opcode ID: a9ac990611d594471141cd29b9992ccf5b7096de4b23ae4c7c5050eb23607c77
            • Instruction ID: 1e1c5dfe9886adf25188ab920f6b4c1db05c0d064a49e79be53f5787d3fa36b8
            • Opcode Fuzzy Hash: a9ac990611d594471141cd29b9992ccf5b7096de4b23ae4c7c5050eb23607c77
            • Instruction Fuzzy Hash: BB31B436600614EFDB11EB4AC885FDFBBF8EF85760F194051E814AB295D770ED40CA60
            Function 03941F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 9e873bc5f6a1fbe6746fd99aabd04b2ed4ed76eec2aa0cc786a0a4baf2d31650
            • Instruction ID: caab9ac72a460b134132c848f897dad4363d8a4a6b39cdbc12bca6ad1a38dda3
            • Opcode Fuzzy Hash: 9e873bc5f6a1fbe6746fd99aabd04b2ed4ed76eec2aa0cc786a0a4baf2d31650
            • Instruction Fuzzy Hash: E822FE70600641AFEB26DF28C494B7BFBF9FF46744F19889AE4958B286D731D881CB50
            Function 039317EC Relevance: 4.3, Strings: 3, Instructions: 520COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 0398F8B7
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0398F8CC
            • HEAP[%wZ]: , xrefs: 0398F8AA
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: f700d8f31c94648204a37eb0ddcb6f8dc60725f288b90f737948daf12937c0b4
            • Instruction ID: 188514e1f235f8c4f20a790e5ebb12c754d4afed92521ab1b2f2a5fd768c9fda
            • Opcode Fuzzy Hash: f700d8f31c94648204a37eb0ddcb6f8dc60725f288b90f737948daf12937c0b4
            • Instruction Fuzzy Hash: CF12B070604755AFEB24EF24D080B76FBE9FF86744F188599D48A8B295E335EC41CBA0
            Function 03940770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: 355d37bae5734528a0b440a5b3f83e37188ed1436f821ecc9d0ae0bde5514d89
            • Instruction ID: 6f8b2ff568ace9bb124aaec687a13639e0d5e7a48ba08e939577dae031ee7239
            • Opcode Fuzzy Hash: 355d37bae5734528a0b440a5b3f83e37188ed1436f821ecc9d0ae0bde5514d89
            • Instruction Fuzzy Hash: BBF1BA34A00605DFEB25CF68C984F6AF7B9FF85304F1986A9E5169B381D734E981CB90
            Function 0393B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
            • API String ID: 0-1145731471
            • Opcode ID: 3dad5535aee53d11d4c0aa3610b5c02f1a6c8b07768e4423842ad646082ccc93
            • Instruction ID: 3105ccb7d11f05329d578d196575ae47783a06d13be9817c5066a8028c9c94f7
            • Opcode Fuzzy Hash: 3dad5535aee53d11d4c0aa3610b5c02f1a6c8b07768e4423842ad646082ccc93
            • Instruction Fuzzy Hash: CFB19FB9A146059FEF25CF5EC980BADB7BAEF85354F18496AE452DB780D730E840CB40
            Function 039B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
            • API String ID: 0-2391371766
            • Opcode ID: 0d74e1b2cd8baef7a47b745ee36c6401eaedb904002ba824f793207265adb3fa
            • Instruction ID: f02ecd7b553900bbca929ebfbcdaddd5859730fc821c571035f79ba448612ce3
            • Opcode Fuzzy Hash: 0d74e1b2cd8baef7a47b745ee36c6401eaedb904002ba824f793207265adb3fa
            • Instruction Fuzzy Hash: FBB17E7A604345EFE321EF58C9C0BABB7F8EB88750F150929F9509B290D770E804CB92
            Function 004025C0 Relevance: 4.0, Strings: 3, Instructions: 283COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$VUUU$gfff
            • API String ID: 0-2314002932
            • Opcode ID: a786206704a4c73ccc5653bb8898c7f258e46ed527ae1a95b09c85026094a1ba
            • Instruction ID: a384bd9cfbe211cfb2bc78efb560ac69642867dddff00d1deddb8e19d570a0f7
            • Opcode Fuzzy Hash: a786206704a4c73ccc5653bb8898c7f258e46ed527ae1a95b09c85026094a1ba
            • Instruction Fuzzy Hash: A5812836B005064BDB1C8D5DCE9827AB396EBD4315F18823BD90ADF3C1EAB9ED158784
            Function 03956962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: 7f399e6f18c5ba3b2661bdb25ef1fe0fb09fb1bdd74d2c8e394381f6d94ee109
            • Instruction ID: abf0408370907eac659142eb4798f084af61c75b930a9cfbbe71b04dd2b9010e
            • Opcode Fuzzy Hash: 7f399e6f18c5ba3b2661bdb25ef1fe0fb09fb1bdd74d2c8e394381f6d94ee109
            • Instruction Fuzzy Hash: F0C26E716083419FEB25CF68C881BABBBE9AFC8754F08896DFD8987240D734D945CB52
            Function 0392A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: 9101f1bbd8f7b6acda2b40542a4c183a7b3a1c7252b6f3d16a84f687cfe5bbf2
            • Instruction ID: 1418661ce880ccc7ea20cdd6277114132c14c7c52535380fb917e845dbe25c63
            • Opcode Fuzzy Hash: 9101f1bbd8f7b6acda2b40542a4c183a7b3a1c7252b6f3d16a84f687cfe5bbf2
            • Instruction Fuzzy Hash: 20A180769116299BDB31EF64CC88BAAF7B8EF84700F0401EAE909A7250D7359EC5CF50
            Function 039C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
            • API String ID: 0-318774311
            • Opcode ID: cde50031f17336a41d59f86f216d26111ba2675723a4146337d9122d022b6fc7
            • Instruction ID: e6a873668ee6a332ac346c8aac52ff626378eefa8d49fdbb641b16a648e639ef
            • Opcode Fuzzy Hash: cde50031f17336a41d59f86f216d26111ba2675723a4146337d9122d022b6fc7
            • Instruction Fuzzy Hash: F3818F79628381AFD311DB29C884F6AB7E8FF85790F04892DF9919B390D778D904CB52
            Function 0396909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %$&$@
            • API String ID: 0-1537733988
            • Opcode ID: e5415e366ee6746153abd53aa2a4d47e31dee3554b6b1ab21663bd97e74da8f5
            • Instruction ID: 8d255175dab9769b4edd6ed9d7420ce628ecf3bf54a4b6e95490de37ac2a76db
            • Opcode Fuzzy Hash: e5415e366ee6746153abd53aa2a4d47e31dee3554b6b1ab21663bd97e74da8f5
            • Instruction Fuzzy Hash: 4471BF7460A7419FC714DF24C980A2BFBE9FFC5758F248A1EE49A8B291C731D905CB92
            Function 03A0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
            Download Yara Rule
            Strings
            • TargetNtPath, xrefs: 03A0B82F
            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03A0B82A
            • GlobalizationUserSettings, xrefs: 03A0B834
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
            • API String ID: 0-505981995
            • Opcode ID: edcf1ec9d94849b630b303b863e25026beab71afda04a478ce0ffc76c81855de
            • Instruction ID: 9b82f794d6f3c4f50670f03aef4ff96fa2d5ff6f8e57100d54bab29d4876b5c1
            • Opcode Fuzzy Hash: edcf1ec9d94849b630b303b863e25026beab71afda04a478ce0ffc76c81855de
            • Instruction Fuzzy Hash: 0C617376D41229AFDB21DF54DD88BDAB7B8AF44750F0101EAA508AB290C774DE80CFA0
            Function 0392F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
            Download Yara Rule
            Strings
            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0398E6C6
            • HEAP: , xrefs: 0398E6B3
            • HEAP[%wZ]: , xrefs: 0398E6A6
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
            • API String ID: 0-1340214556
            • Opcode ID: 26c10779b2e59e3aae147beb3f3f61c0d4de6d159948eea403a3728c2e9009d8
            • Instruction ID: 86539377627ed170090f89738cda74bb8effa2045599b43d0b0167109c0eb81f
            • Opcode Fuzzy Hash: 26c10779b2e59e3aae147beb3f3f61c0d4de6d159948eea403a3728c2e9009d8
            • Instruction Fuzzy Hash: CD51F335604B54EFD712EB68C894FAAFBFCEF85340F0804A5E9428B692D774E910CB10
            Function 039DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 039DDC32
            • HEAP: , xrefs: 039DDC1F
            • HEAP[%wZ]: , xrefs: 039DDC12
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: 0c538093712ab6dacd6ed2b8317754d8a06ecb5bfaed1d416e8a84384d8a020b
            • Instruction ID: 16332cafa8a69d9256a34f9477b70b8009a199d415009e50bd94bca785b0adf3
            • Opcode Fuzzy Hash: 0c538093712ab6dacd6ed2b8317754d8a06ecb5bfaed1d416e8a84384d8a020b
            • Instruction Fuzzy Hash: BF5157351046518EE374DF2EC846772B7E9DF96388F08CC9AE4D28B285D279E803DB60
            Function 0396C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            Strings
            • LdrpInitializePerUserWindowsDirectory, xrefs: 039A82DE
            • Failed to reallocate the system dirs string !, xrefs: 039A82D7
            • minkernel\ntdll\ldrinit.c, xrefs: 039A82E8
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1783798831
            • Opcode ID: f3d8ea3c8d70a4353aa9ed7ef106e57f962569cd8e4e728dfa614a3f54c5d874
            • Instruction ID: 32461e26e8a487fb19f9fc79c585feae59638cb6726d499e6200c9fb8325bd88
            • Opcode Fuzzy Hash: f3d8ea3c8d70a4353aa9ed7ef106e57f962569cd8e4e728dfa614a3f54c5d874
            • Instruction Fuzzy Hash: 9741D2B5546304ABCB24FB6CD844B6B7BECFB85690F04492AF988D72A0E774D8118B91
            Function 039616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
            Download Yara Rule
            Strings
            • LdrpAllocateTls, xrefs: 039A1B40
            • minkernel\ntdll\ldrtls.c, xrefs: 039A1B4A
            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 039A1B39
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
            • API String ID: 0-4274184382
            • Opcode ID: f798f40ae7f3cc606544a11b577aeec5289cfaefe0652a0f933f01e270a777d5
            • Instruction ID: 6687374db11a3d7500da7a693b3d5ab94dd853e806fb677ab3274d52310b7fd4
            • Opcode Fuzzy Hash: f798f40ae7f3cc606544a11b577aeec5289cfaefe0652a0f933f01e270a777d5
            • Instruction Fuzzy Hash: 394178B9E01608EFDB15DFA8C881BAEFBF5FF89714F148219E405AB250D774A800CB90
            Function 039EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 039EC1F1
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 039EC1C5
            • PreferredUILanguages, xrefs: 039EC212
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: 2ddac73613a42422a9baa379d8b847262b2ae76ea94d56a7e3dafe9e181b7245
            • Instruction ID: e8dd1758d072fe2ba91dcb278f8858817ad1cab4de82945fad01f8a6459bc4be
            • Opcode Fuzzy Hash: 2ddac73613a42422a9baa379d8b847262b2ae76ea94d56a7e3dafe9e181b7245
            • Instruction Fuzzy Hash: 46417C76A00209EFDB12DBD4C885FEEB7BCAB44740F04406AE945BB2A0D774DA448F90
            Function 039C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: 256049cd1ed7f8278670603ccf80e88c0678326626311336c402ec89372de6cd
            • Instruction ID: ae86d3c9b462513a3ff2ed8767a1f8908a2499e4f9987a18076b70302a02a709
            • Opcode Fuzzy Hash: 256049cd1ed7f8278670603ccf80e88c0678326626311336c402ec89372de6cd
            • Instruction Fuzzy Hash: 4141D676A10798CBEB26DBE6C950BADB7B8EF95380F18045DD841EF791D7348901CB12
            Function 039B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            • LdrpCheckRedirection, xrefs: 039B488F
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 039B4888
            • minkernel\ntdll\ldrredirect.c, xrefs: 039B4899
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-3154609507
            • Opcode ID: ffd506117d69edf62b034cdd3e0f5336292c51ae11681349bd20aa393c7fdc99
            • Instruction ID: 965d261897a4a692da8e63a2fb52c9d840ddc2dd9184d89fba98bfe125a560ab
            • Opcode Fuzzy Hash: ffd506117d69edf62b034cdd3e0f5336292c51ae11681349bd20aa393c7fdc99
            • Instruction Fuzzy Hash: B341A472A047509FCB21DE6EDA80AA6B7F8EF89690B09055DEC599B252D730D800DBD1
            Function 039633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • SXS: %s() passed the empty activation context data, xrefs: 039A29FE
            • Actx , xrefs: 039633AC
            • RtlCreateActivationContext, xrefs: 039A29F9
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
            • API String ID: 0-859632880
            • Opcode ID: a1ee94ab2604c84cea617f17e43d50f967524f684dc25b9699c53392d09cb7f4
            • Instruction ID: 177ce5655d6a49fa56435bf6267bd9cf05dd62b2a8570342a2d66cd994ed1978
            • Opcode Fuzzy Hash: a1ee94ab2604c84cea617f17e43d50f967524f684dc25b9699c53392d09cb7f4
            • Instruction Fuzzy Hash: D53114366017059FEB26DF69C8C4F96B7A8FB84750F098869ED059F2A5CB70D841CBD0
            Function 03961607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrtls.c, xrefs: 039A1A51
            • LdrpInitializeTls, xrefs: 039A1A47
            • DLL "%wZ" has TLS information at %p, xrefs: 039A1A40
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
            • API String ID: 0-931879808
            • Opcode ID: e0c6b4454232ef1bd649f4b557b8c733255b245b20410ce97308147ba625940b
            • Instruction ID: fca1ddc22a2e14ac3703de902b785d3858e38cac76949a68a16f61cd68101284
            • Opcode Fuzzy Hash: e0c6b4454232ef1bd649f4b557b8c733255b245b20410ce97308147ba625940b
            • Instruction Fuzzy Hash: A6312635E01204ABEB20EB5CC989F7AB6BCFB91754F050569E405BB180E770AD0587A0
            Function 03971270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
            Download Yara Rule
            Strings
            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0397127B
            • BuildLabEx, xrefs: 0397130F
            • @, xrefs: 039712A5
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 0-3051831665
            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction ID: 0a16283f7519321d6b78f5c9a77009cdb6e711015bac6f2609771e1d9c931a0b
            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction Fuzzy Hash: CB316D7690061DABDB11EFA5CC44EAEBBBDEB85750F004525E914AB2A0D730DA058BA4
            Function 039B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • Process initialization failed with status 0x%08lx, xrefs: 039B20F3
            • LdrpInitializationFailure, xrefs: 039B20FA
            • minkernel\ntdll\ldrinit.c, xrefs: 039B2104
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: 0f0c6a745a97cf90d2f3fbc3c70722a7dfca3a7ba11c4816eae69b2314ff9498
            • Instruction ID: c9c36d8e935324a1fe40f754bbf28b8c2cbaa8761c66fa64e7c0104dcd4ba416
            • Opcode Fuzzy Hash: 0f0c6a745a97cf90d2f3fbc3c70722a7dfca3a7ba11c4816eae69b2314ff9498
            • Instruction Fuzzy Hash: 2DF0FF34A4030CAFEA20F70C9D02FAA776CEB81A44F040854F6807B282D2A0A910CA80
            Function 039403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: 05ac4d80521534740c1b340b90f23cf691e2a06614ce38aefa4892721fc5ebd2
            • Instruction ID: aa5caf0ee2674910c882c48b069fb72f8ee79e918b643c12953bf88da6a55fc3
            • Opcode Fuzzy Hash: 05ac4d80521534740c1b340b90f23cf691e2a06614ce38aefa4892721fc5ebd2
            • Instruction Fuzzy Hash: D7714876A0024A9FDB11DFA9D990FAEB7B8FF48344F154065E905AB251EB34ED01CBA0
            Function 039D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: kLsE
            • API String ID: 3446177414-3058123920
            • Opcode ID: 0daef19e77794bff5823775fecec3267bdc171857267a0349195d598abc3f64e
            • Instruction ID: 7c9a075015eb8348e6b05bbd5c7f34e646ae374ebcaed206226f16a5cc433163
            • Opcode Fuzzy Hash: 0daef19e77794bff5823775fecec3267bdc171857267a0349195d598abc3f64e
            • Instruction Fuzzy Hash: 83416B715023514AD731FFADE846B7A7B98E791764F184219ED604F1D5CBB44483C790
            Function 039452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: 26d2f0f9b86b8425002124b4666e4379b9757ec20d293ed44a592cf378894c66
            • Instruction ID: 793cad5c56fd8d4b7e63bfcdde48ca20b58fd3c68b0203c8ceb4e750a6ce24e7
            • Opcode Fuzzy Hash: 26d2f0f9b86b8425002124b4666e4379b9757ec20d293ed44a592cf378894c66
            • Instruction Fuzzy Hash: 4532CE745083118BDB24DF58C580B3EF7E9EF86794F1A492EF9859B290E734D844CB52
            Function 03932FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @4rw@4rw$PATH
            • API String ID: 0-2366389529
            • Opcode ID: ccee017647309a72bcfe73c82eff8f5e52f739e554123c8171d0bdad52fabe9b
            • Instruction ID: 1bc99b66f7d926faa42c611979f8649ecb43b3030d2e92432e74a5f2fc3a2980
            • Opcode Fuzzy Hash: ccee017647309a72bcfe73c82eff8f5e52f739e554123c8171d0bdad52fabe9b
            • Instruction Fuzzy Hash: 55F1C2B9D40218EBCB25DFADD8C1ABEB7B5FF89700F498029E841AB250D7749C41CB61
            Function 039FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: 75f2055069398e11555b9e184f66e0f150bfd4e2bed071104b21c25bc9590444
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: 79C1AD312043469FDB24CF28C845B6BFBE9AFC4358F184A2DFA998A290D775D505CF91
            Function 03930CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • Failed to retrieve service checksum., xrefs: 0398EE56
            • ResIdCount less than 2., xrefs: 0398EEC9
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: 080eb2d4178ab80b2fd002eb901d53eeaa74927449f2d836d18c840ca1920193
            • Instruction ID: f1f7f258ce5efe6249e166516a4b350c8ee5727128a0c4249e109e9e6381d339
            • Opcode Fuzzy Hash: 080eb2d4178ab80b2fd002eb901d53eeaa74927449f2d836d18c840ca1920193
            • Instruction Fuzzy Hash: 45E1E0B59087849FE324CF15C440BABBBE4FBC9314F008A2EE5999B381DB719909CF56
            Function 00402980 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: Zzm)@$gfff
            • API String ID: 0-2134773077
            • Opcode ID: 6e8ca83001b32d009f6dba300b2ec6bd86ceffc8664efd6787db01a0f15b9e39
            • Instruction ID: 2dbbbd576cade97e4c4a312ca10e23aa04993d7c7f3e33c32c406751064cf059
            • Opcode Fuzzy Hash: 6e8ca83001b32d009f6dba300b2ec6bd86ceffc8664efd6787db01a0f15b9e39
            • Instruction Fuzzy Hash: 8271C271B0040A47DB1CDD5DCA956BEB3A6E794314F18817FD90AEB3C1EAB8AE418684
            Function 039AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Legacy$UEFI
            • API String ID: 2994545307-634100481
            • Opcode ID: 109e89091eeb97a5cf7604b1297ba1d6bbbf050488b69738bd5d5a92849c2e21
            • Instruction ID: 289261c020d7710c597e868ebd9038b901cc9d9e87199c2c992051ce6cb7be22
            • Opcode Fuzzy Hash: 109e89091eeb97a5cf7604b1297ba1d6bbbf050488b69738bd5d5a92849c2e21
            • Instruction Fuzzy Hash: 43614D71E007199FDB24DFACC880BAEBBB9FB44744F14456DE659EB291D731A900CB90
            Function 0394F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$
            • API String ID: 0-233714265
            • Opcode ID: 454314e2b55da4e6f10c37846b43d7f396b746493ae1dd5d8c4904227a751d81
            • Instruction ID: d5e02e22d13fe180f30572384fe82d36d6f7c2a00ec89cb3952aad5db02aadaf
            • Opcode Fuzzy Hash: 454314e2b55da4e6f10c37846b43d7f396b746493ae1dd5d8c4904227a751d81
            • Instruction Fuzzy Hash: B6619975E0074ADFDB20EFA8C580FA9B7B5FF88304F184469D516AF680DB74A945CB90
            Function 0393A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Exit, xrefs: 0393A309
            • RtlpResUltimateFallbackInfo Enter, xrefs: 0393A2FB
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 743802aa2cb41b778a22da1ed3bc35173ec6527b94ae00845e24cd8f6e78def8
            • Instruction ID: 782c1b191ed4ce64c4821c0f016ff5903b752123ae55062e3bbb91d801d67160
            • Opcode Fuzzy Hash: 743802aa2cb41b778a22da1ed3bc35173ec6527b94ae00845e24cd8f6e78def8
            • Instruction Fuzzy Hash: 4941AEB5A04749DBDB15CF69C880B69B7F8EF86740F1844A6EC84DB291E335D900CB52
            Function 0396329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local\$@
            • API String ID: 0-380025441
            • Opcode ID: 0b06655b44580682d73596def8351393a1b5bd64ddf3be18c4107422a15432b5
            • Instruction ID: a4194bc63022f52dab77c76444d96771fddc5a3a20725a2b5fb918800b9334fc
            • Opcode Fuzzy Hash: 0b06655b44580682d73596def8351393a1b5bd64ddf3be18c4107422a15432b5
            • Instruction Fuzzy Hash: 5631817A509705DFC311DF28C9C0E6BBBE8EBC5694F88092EF99587260DA30DD04CB92
            Function 0393C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: c5869f5d5af128af60f9f003e70931508d2dedd21069382f86f4fa7161b98629
            • Instruction ID: dd789eee05f56e87c203449610f0186b6f0595c52082f59d0cc82054e964beae
            • Opcode Fuzzy Hash: c5869f5d5af128af60f9f003e70931508d2dedd21069382f86f4fa7161b98629
            • Instruction Fuzzy Hash: F88269B5E006198BDB24CFA9C894BEDF7B9FF4A750F188169E819AB290D7309D41CF50
            Function 03982F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: P``wRb`w
            • API String ID: 0-2038367376
            • Opcode ID: 69e09e7fdb3b1c3b8a1969544981acc60190e25e5e2300f4f31cd162bc3dc9e2
            • Instruction ID: cca773860ebbad8756c0e75b675925fb0f98fa60ca6e5a28b78871701decf1a5
            • Opcode Fuzzy Hash: 69e09e7fdb3b1c3b8a1969544981acc60190e25e5e2300f4f31cd162bc3dc9e2
            • Instruction Fuzzy Hash: B042057DD04249AADF29FF6CD8C56BDFBB8AF84B50F1C845AE441AB280D7348981CB50
            Function 039DA118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: cf011107f9c3e73bbc9caaf2fe8cd0d60dd1891d4aaa1d2a6ab661468acd0dee
            • Instruction ID: b0c5a91bff5abb96d5a9996b745b801d8b06b0df36e4e5580c4e099fbeb6164e
            • Opcode Fuzzy Hash: cf011107f9c3e73bbc9caaf2fe8cd0d60dd1891d4aaa1d2a6ab661468acd0dee
            • Instruction Fuzzy Hash: 6922CD746046518FDB24CF29C092376F7F5AF45380F0CC89AE9968F686E735E5A2CB60
            Function 0395FB80 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: IrwIrw@4rw@4rw
            • API String ID: 0-3882697584
            • Opcode ID: 3dd994d0328a199cc5322a8f53a3b0d9ddabba7a312ea42d027b3b09c3ee81ec
            • Instruction ID: d68f26cc18fc952df0597a08d59c8a886c10c27417c2dab38d5a78c29a776935
            • Opcode Fuzzy Hash: 3dd994d0328a199cc5322a8f53a3b0d9ddabba7a312ea42d027b3b09c3ee81ec
            • Instruction Fuzzy Hash: 2D22C27590060AEFDB14DFA8C880BAEB7B9FF84310F1486A9E8559B345E730DA45CBD0
            Function 03937370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 873f060ab9c45fa2fd7d57f2d22da81dc5b956f991a62b78df6496b830bcb05c
            • Instruction ID: 03ea2bcbf0e5723e3c75043ee5627e8f7472d41bfec076c12c22bb9612236948
            • Opcode Fuzzy Hash: 873f060ab9c45fa2fd7d57f2d22da81dc5b956f991a62b78df6496b830bcb05c
            • Instruction Fuzzy Hash: 5FA17AB5608342CFD724DF69D480A2ABBEAFF89344F14496EF5858B350E730E945CB92
            Function 03952E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 260a1acc78173226cb4095a1ff0d0b716b8ca3d1f245c982c2d606ddee3dfdf8
            • Instruction ID: f2a83fc5c7203f5b59d538b7b559893460efa8ee2634e3d67c148bf09cc31bd3
            • Opcode Fuzzy Hash: 260a1acc78173226cb4095a1ff0d0b716b8ca3d1f245c982c2d606ddee3dfdf8
            • Instruction Fuzzy Hash: 00F180796087459FDB25CF24D4C0B6BBBE9AFC8690F09486DFC898B240DB34D985CB52
            Function 0041669E Relevance: 1.7, Strings: 1, Instructions: 424COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 060a171e04e43fd65dee9cd7179cab83bf4afaf7990667a373051898f10cafd9
            • Instruction ID: be5eceffd270b37c3b640789c65308a6ba1c462991fc5218a592ec75ee56535b
            • Opcode Fuzzy Hash: 060a171e04e43fd65dee9cd7179cab83bf4afaf7990667a373051898f10cafd9
            • Instruction Fuzzy Hash: D9021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 004166A3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: 36a67eb71a32ba29fa93cea82bfb052b14dd7d5d18b795e2a07f11c03d79a8df
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 41021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 0395FDC0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: IrwIrw@4rw@4rw
            • API String ID: 0-3882697584
            • Opcode ID: 90c841fabbe2c1fd93b7306c42943db51bf228ceda7a46e82bdfb87f2d465a3c
            • Instruction ID: 84497bec13ceab18c39836c53ba4f813dc5a15828fadee78f5aaa0c03b85defc
            • Opcode Fuzzy Hash: 90c841fabbe2c1fd93b7306c42943db51bf228ceda7a46e82bdfb87f2d465a3c
            • Instruction Fuzzy Hash: 3EF17F74900609DFDF14DFA8C884BAEB7B9FF48314F1886A9E8159B345E734DA45CB90
            Function 0396F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e6675fcb149e436b28d110090e27ee77029d429bcdbce002ae9d042d4ae6e016
            • Instruction ID: 93cde1b9fe7bd86f5b4c10b268453c93e6b2d4e235006a161821ea52197b7155
            • Opcode Fuzzy Hash: e6675fcb149e436b28d110090e27ee77029d429bcdbce002ae9d042d4ae6e016
            • Instruction Fuzzy Hash: 084149B4901288AFDB20DFADD880AADFBF8FB49340F14816EE859A7251D7309901CF60
            Function 03930100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 81a5cbac51654900cd1d038148a480b25c83d6dc3c77d6da8b2efac38e7a90f9
            • Instruction ID: d083ac9b4990279a57c0745a872b1d3c64458aa9f2fd81d33e97d843ed87dfb7
            • Opcode Fuzzy Hash: 81a5cbac51654900cd1d038148a480b25c83d6dc3c77d6da8b2efac38e7a90f9
            • Instruction Fuzzy Hash: BBA15AB1E083696BDF28DB298850BFEA7AD5FC6344F0844D8EC87AB380D674C940CB50
            Function 00401200 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: }
            • API String ID: 0-4239843852
            • Opcode ID: 1edcb1724164cdf5bf1c28d0aa7727bd9c6d393d5bd070574ed6f752f1af04c9
            • Instruction ID: 20b3d5cfa99d6d39675ce6d8a7061eceff98ac4c6beba8e0b79fdc5b724c6c94
            • Opcode Fuzzy Hash: 1edcb1724164cdf5bf1c28d0aa7727bd9c6d393d5bd070574ed6f752f1af04c9
            • Instruction Fuzzy Hash: 4E71C871E0060987DF188E59C8503EEB771FBD4314F64827AE815BF3E1E7799A428B85
            Function 0396A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalTags
            • API String ID: 0-1106856819
            • Opcode ID: 48a4c3a81305dd66661619f9c849acf68294f6fff10de88e10649b0fee580add
            • Instruction ID: a283528f600af483c4dfe7417389bd88e129b1759ba2bde8cfe9eb080c06b757
            • Opcode Fuzzy Hash: 48a4c3a81305dd66661619f9c849acf68294f6fff10de88e10649b0fee580add
            • Instruction Fuzzy Hash: FC716075E0071ADFDF28DF9CD5906ADBBB9BF88740F18866EE805AB240D7309941CB90
            Function 0393973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction ID: f117274ecd5065fd84e1fad74a177e5b944490bec8da0c37e26562d08e1a3d9f
            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction Fuzzy Hash: E2615DB5D00219EFDF21DF99C840BAEFBB8FF85754F14496AE811A7290D7749901CB60
            Function 0392B2D3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 04rw04rwIrwIrw@4rw@4rw
            • API String ID: 0-2844649184
            • Opcode ID: 19b5530012e320c5905832393639c6c0cc3e4b03dc624ab34aa49faffccea7fd
            • Instruction ID: 3c4b62be886513e6e4e9973e5e9b5b4746c44e2558196be701e68537de1d322d
            • Opcode Fuzzy Hash: 19b5530012e320c5905832393639c6c0cc3e4b03dc624ab34aa49faffccea7fd
            • Instruction Fuzzy Hash: F0412475601B10AFDB26EF29D880F2ABBEDEF80760F15446EF5498B294D770D8018B90
            Function 039BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction ID: d89e0a5a52bd5acb365125f81172008889755eb8ec7d647509ebb15a29bb5aec
            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction Fuzzy Hash: E4516776614705AFD721DF64CD40FABB7B8FB84790F040929B9829B290D7B4ED14CB92
            Function 0394E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: EXT-
            • API String ID: 0-1948896318
            • Opcode ID: cef1e388fe3cd23630d80e7536ff14966d6f001d2d010e0cb13a160f6e5ef00e
            • Instruction ID: c02d21a5a94c1a0908d82287e1d30d5e8f9f174afff0be719bfdc6fa3a685390
            • Opcode Fuzzy Hash: cef1e388fe3cd23630d80e7536ff14966d6f001d2d010e0cb13a160f6e5ef00e
            • Instruction Fuzzy Hash: A2415E76909311ABD720DA79C980F6BB7ECBFC8764F440D29F984DB180E774D9048796
            Function 039EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PreferredUILanguages
            • API String ID: 0-1884656846
            • Opcode ID: a7189802a5293d7ffd36b113b2a94d72ebecc4c1d4f1fa3b964240c3813c4a8e
            • Instruction ID: 40cfafaadc50fad05bdcc3597b42d2b8543baed371abf8daef7d000895cac5e9
            • Opcode Fuzzy Hash: a7189802a5293d7ffd36b113b2a94d72ebecc4c1d4f1fa3b964240c3813c4a8e
            • Instruction Fuzzy Hash: 2D41F336D05219ABCF12EA98C881BEEF7BDEF84750F050166E915EB254D6B0DE40C7A0
            Function 039AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: BinaryHash
            • API String ID: 0-2202222882
            • Opcode ID: ebf85ea5c4861ca3c6d405e762c170f96bfc16cafa22592bfd1f0f29ce611d63
            • Instruction ID: 6838345333d25508ed69878a86850a17e8d3b4f8081482ec84a3cf0f5a55b29d
            • Opcode Fuzzy Hash: ebf85ea5c4861ca3c6d405e762c170f96bfc16cafa22592bfd1f0f29ce611d63
            • Instruction Fuzzy Hash: 474142B5D0062DABDB21DB54CC84FDEB77CAB85714F0046A5AA08AF140DB709E898FE4
            Function 039B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: verifier.dll
            • API String ID: 0-3265496382
            • Opcode ID: e2f7c71d511b0ff13f08003eb73ea3e9bca4921fb3c09117291521385c1d9cc1
            • Instruction ID: a30ac948b362ee5c79db938d47723ca0bc3e0607e1f31c61d28370d37ddf06c7
            • Opcode Fuzzy Hash: e2f7c71d511b0ff13f08003eb73ea3e9bca4921fb3c09117291521385c1d9cc1
            • Instruction Fuzzy Hash: 2931A375B10301AFDB24DF699950BB6B7F9EB89350F58847EEA09DF280E7318C818790
            Function 039636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Flst
            • API String ID: 0-2374792617
            • Opcode ID: 062fb2afcd1c555e823bcdfab88a212d72f810e03ad3de8828552fe7e77eeefb
            • Instruction ID: 97573f71cf06deb884e0e961027663fe0bf8219b76d94a98d032844dd7f63c17
            • Opcode Fuzzy Hash: 062fb2afcd1c555e823bcdfab88a212d72f810e03ad3de8828552fe7e77eeefb
            • Instruction Fuzzy Hash: E8418AB56063019FC314CF18C5C0A16FBE8EB8A750F188A6EE49A8F291D771D942CB91
            Function 03929730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: L4rwL4rw
            • API String ID: 0-1810648253
            • Opcode ID: e40830fe6e9f1bca1ba9073a8ad962ba122fb0bdb0295e355193d2bc0b4edcaa
            • Instruction ID: dcb65e55958a1fa8d3eb1c378ddd2e660c6e4b1ac5429098a695d0476b8715ba
            • Opcode Fuzzy Hash: e40830fe6e9f1bca1ba9073a8ad962ba122fb0bdb0295e355193d2bc0b4edcaa
            • Instruction Fuzzy Hash: 7121B07AA00F24AFC722EF5CC800B1ABFB9FBD5B50F160869A9559B355D770E811CB90
            Function 03935096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx
            • API String ID: 0-89312691
            • Opcode ID: 2a02cd9e923654f6570a3ad324beb56cb13e9afbf388e222061a8bbabfc17192
            • Instruction ID: a02e2eeaa332983f19088d7955de3a3f30255249b333e00f353b33e0dc3f3fb0
            • Opcode Fuzzy Hash: 2a02cd9e923654f6570a3ad324beb56cb13e9afbf388e222061a8bbabfc17192
            • Instruction Fuzzy Hash: 7F1189B07096028BEB24C91D88506B6F2DDEB9F3A4F3E852AD465CB391D673DC41C780
            Function 0396E8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3ec00cfd9d2ff898b47738fe03c997e8ca43343d068b3edaf75f064bdc4d7e7
            • Instruction ID: b6fab3e346f4f32eff75387e1a9cf0a9235a258b3b293f3bebaa7aa39ec47dde
            • Opcode Fuzzy Hash: a3ec00cfd9d2ff898b47738fe03c997e8ca43343d068b3edaf75f064bdc4d7e7
            • Instruction Fuzzy Hash: E5823472F102188FCB58CFADD8916DDB7F2EF88314B19812DE416EB345DA34AC568B45
            Function 0397516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5e3fed715fca9fa59649056d06f6d02cfab67e5a5b2792196506c5f6139284c0
            • Instruction ID: 32e7b0600b6f8fcaa4c793da3ddf852b1a7d5c42de26a94319f2e325f726c950
            • Opcode Fuzzy Hash: 5e3fed715fca9fa59649056d06f6d02cfab67e5a5b2792196506c5f6139284c0
            • Instruction Fuzzy Hash: 0662AE3290864AEFCF64DF08D4914AEFB66FF52354B4AC69CC89A67644D331BA44CBD0
            Function 0398739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd7f4b627eaee5ae72374c8decf63276f910f58ce9d00383da4d3c9df7630c1a
            • Instruction ID: 92d1444bc1334e25603dd8155499f083423fd045d23839935d2f0f2da837e3e7
            • Opcode Fuzzy Hash: bd7f4b627eaee5ae72374c8decf63276f910f58ce9d00383da4d3c9df7630c1a
            • Instruction Fuzzy Hash: 8D42A175A006168FDB14EF99C480ABEF7BAFFC8354B28855DD552AB340D735E842CB90
            Function 03985AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 0395B2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 94e018dc3dd31b93e75ff7b8237edeb1c000d8ef590097a00ae183622c62f6ac
            • Instruction ID: 35983840929e6880d6d85e8eb32feaa614c13693fdc41ff3c48263bbf81466ac
            • Opcode Fuzzy Hash: 94e018dc3dd31b93e75ff7b8237edeb1c000d8ef590097a00ae183622c62f6ac
            • Instruction Fuzzy Hash: 7632AD76E01219DBCF24DFA8C890BAEBBB5FF94754F180029EC05AB390E7359941CB91
            Function 039F16CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3825bc7d0babcf8c77cb0a11fa0b7f15dff6ce70271616bd9832bae9c36580d1
            • Instruction ID: 803add073cac3ef919ef31e44461e3ec7daff7803649618a48d00ef32cccc71a
            • Opcode Fuzzy Hash: 3825bc7d0babcf8c77cb0a11fa0b7f15dff6ce70271616bd9832bae9c36580d1
            • Instruction Fuzzy Hash: E5229135A00216CFDB19CF59C490ABAF7BABF88354B28456DDA56DB344DB30E942CBD0
            Function 039F1D5A Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d470834291d37699c7dfea2f2edd9c6873589764ce0b95be13f656af4acea11c
            • Instruction ID: 20f23c0350f94d10940c485009700f7d32d24db2988f2bb2112de4b5dc7a619c
            • Opcode Fuzzy Hash: d470834291d37699c7dfea2f2edd9c6873589764ce0b95be13f656af4acea11c
            • Instruction Fuzzy Hash: 5E2291796047128FC719CF18C490A6AF3E9FF89354F188A6DEA96CB355D730E842CB91
            Function 03958DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e90231a364a87ab69bde68d2a6ca25c4bf1a910f64807d129e8d709584ea2658
            • Instruction ID: a7c4ddf9c30d3168e26f1a5971a4daf2b0242b5ab6d3414e1f98c185a484f991
            • Opcode Fuzzy Hash: e90231a364a87ab69bde68d2a6ca25c4bf1a910f64807d129e8d709584ea2658
            • Instruction Fuzzy Hash: 72224074E0421ADBDF14CF69C4819BEFBFABF48345B18849AEC459B241E734D981CBA0
            Function 039F2446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c2f734955021af14b0dd386e7e57e3bcf04b74c03aa18c2f114f30d28fc9d33
            • Instruction ID: 4111e5207ddbadf5a774715c749adad2c3b12f41715d00598d53494b7293d6c4
            • Opcode Fuzzy Hash: 6c2f734955021af14b0dd386e7e57e3bcf04b74c03aa18c2f114f30d28fc9d33
            • Instruction Fuzzy Hash: C202F2386046518FDB24CF2AC5503B5FBF5AF85340B588D9AEAD6CF282D734E852DB60
            Function 03A0B16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6038d32524ad9de7d2a631b01d05f89750c36c2fbbd7c66afa8b5af0fbf26921
            • Instruction ID: ed3b7f38fba1ea731b97a574367d7ffcdb0d175c053170f66fbb4911096a2766
            • Opcode Fuzzy Hash: 6038d32524ad9de7d2a631b01d05f89750c36c2fbbd7c66afa8b5af0fbf26921
            • Instruction Fuzzy Hash: 7AF1D672E006159FCB18CFA9DAA067EFBF5AF98310719416ED456DB3C0D634EA41CBA0
            Function 0040FF73 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: bc3dc1c74e1b29bd7803e655d61e04224c72a0e6528a9659707e5c9b927de1d7
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: C5026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
            Function 03A0A9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3a3e57e0017715110bc426b2e24bbb782d7025f6f24ee426169268f0a806f4a1
            • Instruction ID: 29208016afae59f66892f0dca354442cbf85af9ed462a17ecd09decc27f4414a
            • Opcode Fuzzy Hash: 3a3e57e0017715110bc426b2e24bbb782d7025f6f24ee426169268f0a806f4a1
            • Instruction Fuzzy Hash: 89F19272E006269BCB18CFA9D5A05BDFBB5AF45310B1A426ED856EB3C0D734DE41CB90
            Function 03928397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3736c0d6d26d1a421a7e4a6328024a6a9f8e5f3e9d7f0676971fce1364d093cc
            • Instruction ID: 3cf020761bfaa3f149c3a2f518286beb52f8fccf628730a08db8b51fb0e4ec50
            • Opcode Fuzzy Hash: 3736c0d6d26d1a421a7e4a6328024a6a9f8e5f3e9d7f0676971fce1364d093cc
            • Instruction Fuzzy Hash: A5D1F675A04B2A9BCF14EF68C890FBEBBA9FF84354F084629E815DB284E734D940C750
            Function 0395C6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e560e72a9a4d3c00769a00a07349229c95fa395469c578ca19b31d02ae88c732
            • Instruction ID: d5bcbb22fbfbaf2f4179e4d0785955b21bae53104ff8d49a1d12a5e65179becf
            • Opcode Fuzzy Hash: e560e72a9a4d3c00769a00a07349229c95fa395469c578ca19b31d02ae88c732
            • Instruction Fuzzy Hash: DAD15971E043199BEF28CE9CC5943BDBBB9FB44380F18846AE942AB694D77489C1CF44
            Function 039438E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0fddaa191186e2a79efca6c7ad14d2a48650c51ee476d4a1facbb3f4de2cbd3d
            • Instruction ID: 30acfd71f3cc3b2ac133d2d1633280e8de2b9437cbdb20b7f8edb1d6b4f1cacd
            • Opcode Fuzzy Hash: 0fddaa191186e2a79efca6c7ad14d2a48650c51ee476d4a1facbb3f4de2cbd3d
            • Instruction Fuzzy Hash: 35E19E75A01206DFDB18CF68C890BAABBF5FF58310F18859AE855EB391D734E941CB90
            Function 0394CFE0 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ad44c1b39b3d6390fdccdd7a912f668bd5494e615c0932a224f71847bfee9fba
            • Instruction ID: 6d5f70203074fb8501e3b6e7cbceac4099d9a163bc93c9eb851453a4f103a10a
            • Opcode Fuzzy Hash: ad44c1b39b3d6390fdccdd7a912f668bd5494e615c0932a224f71847bfee9fba
            • Instruction Fuzzy Hash: 58D1B538A003198FDB35DB19C894FAAF7B9BF49744F0840E9D9099B282D774AD85CF51
            Function 0393D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bbfea26ac800e2932bdac149368ad7365c848f051a0ad74a89032508ed4a01d2
            • Instruction ID: 4966f04c6505a6590aa87b9a0048dd7992525f724b62c142e8c714ae5b62be27
            • Opcode Fuzzy Hash: bbfea26ac800e2932bdac149368ad7365c848f051a0ad74a89032508ed4a01d2
            • Instruction Fuzzy Hash: 1BC1D871E002159BEF25CF5EC850BAEF7B9FF95350F188269D815AB290D770E942CB80
            Function 03940535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 366877a76eb31d49338d0c8da260b6567f2eb4c974b2e2c509db72002bd077d4
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: ADB10475600645AFEF22DBA9C850FBEFBFAEF85200F190599D6469B381D730E941CB90
            Function 039590DB Relevance: .3, Instructions: 287COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9347bfb4465f50722d68fd434874e7db00dae84e9d62f1512d8ae0a019feb000
            • Instruction ID: 9f13ce913a47fde885b012cda6ca705c95f68b7ea61d71bfdfac84f6d2022c7e
            • Opcode Fuzzy Hash: 9347bfb4465f50722d68fd434874e7db00dae84e9d62f1512d8ae0a019feb000
            • Instruction Fuzzy Hash: 43A13875910215AFEB22EFA8CC85FAEB7B9EF85750F050154FA00AF2A0D7759D50CBA0
            Function 039383C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52dbcff7c63aff9e13c2d8037d7bd00e05bbebe834defe1651210e008aca94dc
            • Instruction ID: 638b1f1a1bbba3ff87afb3291a9ddf829f9e5304776465dc79d5f955a2306e37
            • Opcode Fuzzy Hash: 52dbcff7c63aff9e13c2d8037d7bd00e05bbebe834defe1651210e008aca94dc
            • Instruction Fuzzy Hash: 7AC14A741083418FEB64CF19C484BABB7E9FF88344F48495EE9898B290D774E948CF92
            Function 03970185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c580369e941c7327f4848b77b9be62db535fa51c20675e62bb2f1def0f7128c2
            • Instruction ID: 5e050afd59b0e335216f08f6e28e82ef55c0ac536ec00a17858dcd22263ada87
            • Opcode Fuzzy Hash: c580369e941c7327f4848b77b9be62db535fa51c20675e62bb2f1def0f7128c2
            • Instruction Fuzzy Hash: 6FA1BF71B0071ADBDB24DF69C990BAAB7B9FF44354F044529EA459B3C1EB34E812CB90
            Function 0394E3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4ee828f50d237af1473309eb7ade8624dc6795d1265388e0149b171db31922c2
            • Instruction ID: d3a81b05c4a5ceebcf31b530685e1a3aa0f13e216263b210b59419b2a7181783
            • Opcode Fuzzy Hash: 4ee828f50d237af1473309eb7ade8624dc6795d1265388e0149b171db31922c2
            • Instruction Fuzzy Hash: DE912235E006159BEB24DB2DD884F7EB7A9FF84750F0944AAE8059F290E738DD41CB91
            Function 03931131 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f88ee619acf2d58a1cca7c8c3d1ed2b759aa85553809bb896952a07208747cba
            • Instruction ID: 29d19c96ff3dd93420828706cb17e5722620b50249069ca7e05fd06670b6ea06
            • Opcode Fuzzy Hash: f88ee619acf2d58a1cca7c8c3d1ed2b759aa85553809bb896952a07208747cba
            • Instruction Fuzzy Hash: CBB102B56093409FD354DF28C480A6AFBF5BB89344F18496EF89ACB361D371E945CB42
            Function 03964750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: ffd341b935467b4320844603863370d840e336fe8e1820b08851f90ead70a49e
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: A0814A35E056969FDB21CEEDC8C027EBB59EF52240F2C4B7AD8429B241C264D886C7D1
            Function 0397DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: c427f7b30329e291a5b462481da266829a82dbf32835c607e9e0935629f12291
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: 30915D72620A06CFD725CF2DC885666FBE4FF55364B288A18E4EADB6E0D375E511CB00
            Function 039FF7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 15c8dab48fa6c868a5fbc48a29850ed6b933f3823fae68dd84ff98d207470f69
            • Instruction ID: 783705157ce0c4970f3582afceaef0fd8fe36ca455c7d3998bdb7e43008164ef
            • Opcode Fuzzy Hash: 15c8dab48fa6c868a5fbc48a29850ed6b933f3823fae68dd84ff98d207470f69
            • Instruction Fuzzy Hash: 1E91E672A00206AFDB14CF28C88076AB7E9EF84350F188578EA57DB291E774ED51CB90
            Function 039FF43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ed64df9bf88b56976c2cd914989924120bcf81670e9c790a85091a1e304f32b6
            • Instruction ID: 576d2a647b4a987776dbc4dbd5f675b34aaa1442728c722f5578a644d9e5bbec
            • Opcode Fuzzy Hash: ed64df9bf88b56976c2cd914989924120bcf81670e9c790a85091a1e304f32b6
            • Instruction Fuzzy Hash: 0591D172A005198FCB18CF69C8906BEBBF1FF88310F1986A9E916DB395D634D901CB50
            Function 039F81CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 35d5ee557291f30c77a926fd46e7a719e8488ef7446656f633e1625b168b79a7
            • Instruction ID: 35f4dab3a98e87debc497847e352156cfc0236e140e87bca01c9d7c1fe7cc62f
            • Opcode Fuzzy Hash: 35d5ee557291f30c77a926fd46e7a719e8488ef7446656f633e1625b168b79a7
            • Instruction Fuzzy Hash: 6E810672E046199FCB54CF69C8805BEB7F5FF88360B18472AD925E7280D774E912CB90
            Function 03940E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 58782b85187ea80d1e3cb2874edc1b7f2addee4db8156c64c8ec4b57f486699e
            • Instruction ID: 3fb09e7b7910c33689a94b68cff3dce7d82913c537e4ad8856529d17d6f8f262
            • Opcode Fuzzy Hash: 58782b85187ea80d1e3cb2874edc1b7f2addee4db8156c64c8ec4b57f486699e
            • Instruction Fuzzy Hash: 8F819131A00659DFDB14CF69C880DAFFBB6FFC5250B2982A9E9549B349D730E941CB90
            Function 039EE4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4050364db504829570bdc0dadb8571b3243cad64b893912e75439adb1994aed4
            • Instruction ID: a650856df2feb4ff11db705de29bc0f12ead3d023447e36470538caeab84cca0
            • Opcode Fuzzy Hash: 4050364db504829570bdc0dadb8571b3243cad64b893912e75439adb1994aed4
            • Instruction Fuzzy Hash: 65818D76E002159BCF29DF99C590AADFBF5EB88310F1981AAD816EF385D7309D41CB90
            Function 0395D090 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction ID: 730fd54de18d9a913cf02307e8cdcf5a6ea1175b1f4a4e67d609859e36943a3b
            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction Fuzzy Hash: 0E815076E0011A8BEF18DF9CC9807AEF7B6FF84344F19856BE815BB344D63599808B91
            Function 0396E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0722dd0c47697ab3210ed944fb3e02eff813c4c46b44aeef906d0fc6d76892f
            • Instruction ID: bbe9074798bfd416cb41ca380c7a86a6437df919cdd4f14a8b0f68cc0ac44b69
            • Opcode Fuzzy Hash: b0722dd0c47697ab3210ed944fb3e02eff813c4c46b44aeef906d0fc6d76892f
            • Instruction Fuzzy Hash: 8A817C75E01709AFDB25CFA9C980EEEF7BAFB88340F144429E556A7250D730AC05CBA0
            Function 0395B950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc5a8969a0d5b10f0221eb079aa461e746d3e066c6215519cd31a8eb944e6890
            • Instruction ID: a17ef5009711c0296c821b8330640389af633f515d96157f51bbd62e59d819e4
            • Opcode Fuzzy Hash: cc5a8969a0d5b10f0221eb079aa461e746d3e066c6215519cd31a8eb944e6890
            • Instruction Fuzzy Hash: F271D5346047508FFB24DE2AC940736B7E5AB85744F18895EFC968B1C8DB75E886CB60
            Function 0394C640 Relevance: .2, Instructions: 206COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c69f79644cd5390361075b6a1de9872e95ddc76badbd60773fa13d9060063c1c
            • Instruction ID: 1e2ed8e36cb99fc7b4f8434262a4db134707c04b475ee3d5fde1f4f1ae75190b
            • Opcode Fuzzy Hash: c69f79644cd5390361075b6a1de9872e95ddc76badbd60773fa13d9060063c1c
            • Instruction Fuzzy Hash: 5B71EEB6C06225AFDB25DF5DC590BBEBBB8FF59700F14455AE842AB350E3309801CBA0
            Function 039EDAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb1d89b3d1dc55d5f1799eaecbbc40afd201182e4a28e2c1276ac21e450be91a
            • Instruction ID: b16a4a2bd0dba55c3a260d8d863068498e02d31eda03661d9eb16d58428ba0f3
            • Opcode Fuzzy Hash: eb1d89b3d1dc55d5f1799eaecbbc40afd201182e4a28e2c1276ac21e450be91a
            • Instruction Fuzzy Hash: 0F818C70D002A5DFDB26CF6AC440AAAFBF9EF49780F04C899E495AB685D374D881DF50
            Function 039F70E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 336189aa00a5e562f653ddf0d58f3c6a2a064ab03518e20639928257a77de510
            • Instruction ID: a22b26ac108ee6f8eafa4c728f9f15e2823261286fa52f2461b7ad9de677e1f6
            • Opcode Fuzzy Hash: 336189aa00a5e562f653ddf0d58f3c6a2a064ab03518e20639928257a77de510
            • Instruction Fuzzy Hash: 9A61B375E0031AAFCB14EFE5C8819FFB77DBF84294F14442AEA11AB240DB74D9458B90
            Function 0394260B Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ace1d1824d575bd4330d6517b33ccfea3a8ca9f5be7b459a9504fe91c96414ca
            • Instruction ID: 791c7301a5f4dcb021d15fdfe0822051e6d1a8c8525cca0af34ffa464511ae56
            • Opcode Fuzzy Hash: ace1d1824d575bd4330d6517b33ccfea3a8ca9f5be7b459a9504fe91c96414ca
            • Instruction Fuzzy Hash: A471C1756046419FD711DF28C480F2AB7E9FF88750F0989AAF899CB351EB34E846CB91
            Function 039EF0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 157356949a91bb15ebd4a9f26001969155505a17c215b55871f4947fbd0277d7
            • Instruction ID: 3438e3ad744ac8ed5699fa3d10408795bfd42270f57adf0964bb4df698437add
            • Opcode Fuzzy Hash: 157356949a91bb15ebd4a9f26001969155505a17c215b55871f4947fbd0277d7
            • Instruction Fuzzy Hash: 0D717979A01626DBCB26CF5AC09017AF3F5FB85745B6A48AFD88397340D374E941CB90
            Function 039B035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: f9a222c3f0d94e430f66883024022b1321a2b9552db90cc40a51e9ee02e9a63a
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: 0F713E75E00619AFCB10DFA5CA84EEEBBB9FF88700F144569E505AB650DB34EA41CB90
            Function 039C62A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21df5ae5694a914da9e6a7eabb68d56831c94adf165ed0e232b86854b8284433
            • Instruction ID: e90078a0329aa9e69ae3f576e9a864444313292ce734d0719eb19987ad45b626
            • Opcode Fuzzy Hash: 21df5ae5694a914da9e6a7eabb68d56831c94adf165ed0e232b86854b8284433
            • Instruction Fuzzy Hash: A971E136220B41AFEB31DF18C844FAAB7B9EF84760F18492CE5568B2E0D775E944CB51
            Function 039F7A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 03f389af35cb364ac61a7254da2a969c28a818a9e33f1323c646e22191613010
            • Instruction ID: 76d07a1222891c6557c85f745bb1b73c61eb6034c5009bbfa214f6c7019afc9b
            • Opcode Fuzzy Hash: 03f389af35cb364ac61a7254da2a969c28a818a9e33f1323c646e22191613010
            • Instruction Fuzzy Hash: 8D514D75A002265FCB14DFA9C8809BAF7F6EFC8391F184569EE54DB384DA34C902C7A0
            Function 039F132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 555a2650d11d8310621bee8ef9cb33621b05db2ef164c6662455f27fb5bf0e17
            • Instruction ID: a4f2bf499a235832fff0770de2a7973d12df3b9e2e0cd2953689f6ef609ea3e4
            • Opcode Fuzzy Hash: 555a2650d11d8310621bee8ef9cb33621b05db2ef164c6662455f27fb5bf0e17
            • Instruction Fuzzy Hash: 98818075A00245DFCB09CFA9C490AAEBBF1FF88310F1981A9D859EB355D734EA51CB90
            Function 039F903E Relevance: .2, Instructions: 186COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 11ddd14efb5ea74ee5b9304d537cada2521a08d52abb31f31ce7487dec7b33d2
            • Instruction ID: 5daa46c2b61817adea0573f0e9a2eef6cced10344fdd10e058580bfdeab2ba80
            • Opcode Fuzzy Hash: 11ddd14efb5ea74ee5b9304d537cada2521a08d52abb31f31ce7487dec7b33d2
            • Instruction Fuzzy Hash: FB61EFB6600715AFD715DF68C884FABBBE9FF88754F048619FA698B240DB30E510CB91
            Function 03937703 Relevance: .2, Instructions: 179COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44fbe83120f696f56aa08ccef69da6f62a69604f14c75e960c8c9fa9c4a9dc5e
            • Instruction ID: b8fb202e4b5e63752e1364104f2132ea82020c131c681134da53bc3f3496ddb7
            • Opcode Fuzzy Hash: 44fbe83120f696f56aa08ccef69da6f62a69604f14c75e960c8c9fa9c4a9dc5e
            • Instruction Fuzzy Hash: 046145B5A00605EFDB18DFA8C480AADFBB9FF89340F18856AD51A97350DB30A941CBD0
            Function 039F92A6 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c3a1f0b4da189cc7e7defcffc391e49d8a67ac042d4b7312736982322a51d34
            • Instruction ID: d06de6ae877da4ab925389f906575cdc33cc87a736aee41d7089ad0be8b07f87
            • Opcode Fuzzy Hash: 3c3a1f0b4da189cc7e7defcffc391e49d8a67ac042d4b7312736982322a51d34
            • Instruction Fuzzy Hash: BF6115356047428FD311CF68C894BAAF7E4FF90758F18486DEA858B2D1DB75E806CB91
            Function 039FCE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: 88e13f11103786621f9fc88618ddcca91107878d89d6a6c4c107168ea44373ef
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: 8351083260470A5FC714DE29885076BFBDAAFC1290F1DC96DEA95CB249DB30D909CF91
            Function 0040FD53 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: 2121c664a8c5830da041c923ef2f7bbf52f7bd70e106dfbbfbc710aa3fcfd6ec
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: CF5173B3E14A214BD3188E09CC40631B792EFD8312B5F81BEDD199B397CE74E9519A90
            Function 039F7D73 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f07f0daaed29cdc656ceecbfe52929eccc2bad22af0778c3e6f8ffa56275ca0f
            • Instruction ID: 7f82b27c7e3f16cf8419b454b104ec28e48d22ab87ef5f51c2d748a79c554ce0
            • Opcode Fuzzy Hash: f07f0daaed29cdc656ceecbfe52929eccc2bad22af0778c3e6f8ffa56275ca0f
            • Instruction Fuzzy Hash: 6551A236A1014A8FCB08CFB8C480AAEB7F5EF98354F19827AD915DB355E734DA15CB90
            Function 03943740 Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c8b9c66fe4316a0518449753d6cdc118029dc8002c94d5da8bc5b7babeaacc0
            • Instruction ID: efdf42e363ed3c047a101a7e9487b7c8d0aafd3a70ff87d31b33656bed50935b
            • Opcode Fuzzy Hash: 8c8b9c66fe4316a0518449753d6cdc118029dc8002c94d5da8bc5b7babeaacc0
            • Instruction Fuzzy Hash: 4F51EE79A00616AFD721CF6CC4C0A69F7B8FF44750B0986A9E895DB740E734E9A1CBC0
            Function 0040FD4E Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3f75038a1893a4934b6a3f4db3a6868c1102ce525b26c96f83ed9d494807d0d7
            • Instruction ID: 44a6e7bdd143c2028cf6b39cf1abbbdefa585b31e840b2417f544b6a839c3603
            • Opcode Fuzzy Hash: 3f75038a1893a4934b6a3f4db3a6868c1102ce525b26c96f83ed9d494807d0d7
            • Instruction Fuzzy Hash: E65173B3E14A214BD3188F09CC50631B692EFD8312B5F81BEDD199B397CE74E9529A90
            Function 03937152 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d8bf7413d5e54da11e23a1ba4059b50aa64c6d3715a28245bac2c82f03c9abd1
            • Instruction ID: ef415fee73bfbfc3e357b5ca88d385a16a15b9cef2c7e8fba4cd2e6f45ea9691
            • Opcode Fuzzy Hash: d8bf7413d5e54da11e23a1ba4059b50aa64c6d3715a28245bac2c82f03c9abd1
            • Instruction Fuzzy Hash: 085104B6A0060AEFEF15DFE8C984BBEB7B8FF45355F14446AE40297290DB749911CB80
            Function 039B3A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ec172953c4c8fe538c471ef515daab3497309246d3ebc680f5fcc0bdf5cd8c0c
            • Instruction ID: b3af6768cc9cf6634e2a53f3f492acb051db57cbde635f4da0b33a14156b3536
            • Opcode Fuzzy Hash: ec172953c4c8fe538c471ef515daab3497309246d3ebc680f5fcc0bdf5cd8c0c
            • Instruction Fuzzy Hash: AF518F36E4012E4BEF28CA58D4A1BFFB3F6EB44310F48081EE855BB3C4C6766956D660
            Function 039FD26B Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction ID: 1bc027a63912eb18008131f5e94ccbc3694e8b8f7d1271413e657e697af2f449
            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction Fuzzy Hash: B4517E766087429FC711CF28C884B6AB7E9FFC8344F04892DFA948B284D774E905CB92
            Function 039F7571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: deb2a38f305de0bb5b39bb516354a6d5de643313fae0f0bf52ebda42348deda6
            • Instruction ID: cb973d01bf08b29ac37a97fd16f7f8b3def901471ab712eda0b84ac9879f9ff9
            • Opcode Fuzzy Hash: deb2a38f305de0bb5b39bb516354a6d5de643313fae0f0bf52ebda42348deda6
            • Instruction Fuzzy Hash: A451F731A00219AFCB14EFA9D844A7EFBB9FF88390F084169DA11D7250DB70AD11CB80
            Function 039351ED Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e89fc7b3848f69c627007b2db06e45c55dc26c017d550cd138af7dbd51494999
            • Instruction ID: ac87e01b8da8008e304d93eb83ac3f45f2515d22c17a758c19ee2138a57256aa
            • Opcode Fuzzy Hash: e89fc7b3848f69c627007b2db06e45c55dc26c017d550cd138af7dbd51494999
            • Instruction Fuzzy Hash: 3F518CB5A06215DFEF21DBA9C840BADB3B8BB4E394F1A0459D811EB250D7B49940CB52
            Function 0396F71F Relevance: .1, Instructions: 143COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73f680da57ded735fd2fbc8f6dd0fb99062ad429b7a134df1ed5b5465a16c50f
            • Instruction ID: 504bba3568f69f2e10fed87757a9d6768ff1c6075dbc165aac900b328d421d42
            • Opcode Fuzzy Hash: 73f680da57ded735fd2fbc8f6dd0fb99062ad429b7a134df1ed5b5465a16c50f
            • Instruction Fuzzy Hash: BD41967AD0522AABDB11DBACD880ABFB7BCAF44790F450166E901EB600D634DE0187E4
            Function 039601F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 71f99e71cd818cfe8a5d836217e6329cc331e7b0abb3f243db6d715388370cf3
            • Instruction ID: ed83bac4fa6198883f65aca3e06c8171ef958d7cedead2aab7c7576d83a7cd33
            • Opcode Fuzzy Hash: 71f99e71cd818cfe8a5d836217e6329cc331e7b0abb3f243db6d715388370cf3
            • Instruction Fuzzy Hash: 8C41A036D062159BCB14DF98C480AEDF7B8BF88750F58825AE816FB350D7359D41CBA4
            Function 03972750 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction ID: 7fea224a807d26ef8cd0004d35f3a3b3e2282d1582f5b7757747fb6d4650b12e
            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction Fuzzy Hash: FA513A75A00615DFCB15CF58C580AAEF7FAFF84750F2886A9D855A7350D730AE41CB90
            Function 03936154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5b0da34defbf196d73e7f3099ca05a4db3b5af703821ff464a4021ec322c896
            • Instruction ID: 956c74d3f58164bbf2f69bd3df455fdf062be794af3332b8b4bb451fe1122fad
            • Opcode Fuzzy Hash: c5b0da34defbf196d73e7f3099ca05a4db3b5af703821ff464a4021ec322c896
            • Instruction Fuzzy Hash: AE512BB0904616EBDB25DB68CC44BB9BBB9FF42314F0842A5D469DB3D0E7789981CF40
            Function 0392B136 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bdb17c72c4c79d1dbe5d8ef5e1ce9f117eeb2999759423b36ea5746f9685ee6a
            • Instruction ID: ef383b34b0dbee689a28b6285a7b70ff35d6c28be1221fbb4390380c179f49f2
            • Opcode Fuzzy Hash: bdb17c72c4c79d1dbe5d8ef5e1ce9f117eeb2999759423b36ea5746f9685ee6a
            • Instruction Fuzzy Hash: CE41CD75641B11EFDB21EF68C880B2ABBECEF90794F044869E555DB265D770D800CFA0
            Function 039FF0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0fd3dc897ddbbb39a3555bf845a17889585977490baa806a961046b95c93eb0e
            • Instruction ID: 9d08243e6e7677cdb2a736adbbbdaf2ec44e44466d48ebcce2d031b47480c1e4
            • Opcode Fuzzy Hash: 0fd3dc897ddbbb39a3555bf845a17889585977490baa806a961046b95c93eb0e
            • Instruction Fuzzy Hash: FA41A1752083419FD704CF25D8A597ABBE1FBC4715F084A5EE9968B282C730D91ACB62
            Function 039F866E Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction ID: d0f1ed0c6ce76a34e209f0891dd163fd8b6b16bbaba571ef8ca36cf28099f40b
            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction Fuzzy Hash: 3B41D376B04219AFDF54DF99CC85AAFBBBEAF88250F184069EA00A7341D670DD018760
            Function 039DD5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 837fc58825e10f09d249289c71cb4f8e44c7dc5b8be6c81f71001c473eb6f9a8
            • Instruction ID: 0c2c8dea10f00a045c1b4a1f2b495ffc9b5928c7b515d2bb48d558cb22cde75b
            • Opcode Fuzzy Hash: 837fc58825e10f09d249289c71cb4f8e44c7dc5b8be6c81f71001c473eb6f9a8
            • Instruction Fuzzy Hash: 1B410430A082959FCB14EF29C496ABAFBF5FF49300F49C499E4C58F245C735A456DBA0
            Function 0395D6E0 Relevance: .1, Instructions: 126COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 541395633a021d67d9c2350633cbcb57736e0d3d81912f44b3639478ba080369
            • Instruction ID: 66e309bc1666b9fa695396de88c26d41fde91a5408166543e899a710e1400a5c
            • Opcode Fuzzy Hash: 541395633a021d67d9c2350633cbcb57736e0d3d81912f44b3639478ba080369
            • Instruction Fuzzy Hash: 7041B3765047009FE734EF6DC990F6AB7A8EB99761F04052EFC568B291DB30E842CB91
            Function 0392A020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 2ec39efd50007d142e90623ec2c8841a0cffd065eaee4f6d461c365c0a015e62
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: 13414C32A00621DBCB20FF9584507BAFB7AEBC1794F1D806AE8458B244DA359D40CB90
            Function 03960710 Relevance: .1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction ID: 10f74072acabd0f800fcdddcc727b22813b1781a1a1420cbf4bd17e42513d40b
            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction Fuzzy Hash: 7341F375A05705EFDB24CF98C980AAAB7F8FB18740B10496DE556DB790E730AA44CB90
            Function 0393262C Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 37cc640688d5dda1e6933b43d30bd3b366249fcdfb4c06466856af2e784a325e
            • Instruction ID: 094935be55932ccfa9e0c15fe028a907be1e887288fc8d727d9f8459dc80ae9e
            • Opcode Fuzzy Hash: 37cc640688d5dda1e6933b43d30bd3b366249fcdfb4c06466856af2e784a325e
            • Instruction Fuzzy Hash: 0241E1B4501714DFCB21EF28D940A29B7FAFF86354F148AAAC4979B2A1DB30A941CB51
            Function 039FFFB1 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7e1d4b68af7c5e31aa14eae277537b4c174256b7cb45027ff255658b1bf50114
            • Instruction ID: 909bc198b6e07c7cfff99b0d18c19fc44fd70bc5e70573380fcae07a5627e214
            • Opcode Fuzzy Hash: 7e1d4b68af7c5e31aa14eae277537b4c174256b7cb45027ff255658b1bf50114
            • Instruction Fuzzy Hash: 17412635A042599FD744CF2A94A0ABBBFF1EF85305F0DC1ABD8819B282D639C546C770
            Function 039FFA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e401420b45d001f750c6c60681b1255d788e8b46cc3e99d037555a2aeb75a0bf
            • Instruction ID: e0159cb1042b1f5887ac3b1fd7573dda3bdd13ce4b9a3c7da326317b2adaf331
            • Opcode Fuzzy Hash: e401420b45d001f750c6c60681b1255d788e8b46cc3e99d037555a2aeb75a0bf
            • Instruction Fuzzy Hash: 4D3159367105079FD718CF29CC44AA3BB9DEF88754F088674EA1ACB284E774D845C394
            Function 039FEEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 37052400e49380d8b46ecdd09c316fec71546efc8511eba3188e149623c408ca
            • Instruction ID: 127be9e61879676efd90cef451f229b8b76d1f59d1af8b42046e4de75b65e7f1
            • Opcode Fuzzy Hash: 37052400e49380d8b46ecdd09c316fec71546efc8511eba3188e149623c408ca
            • Instruction Fuzzy Hash: 34418133E0412A8BCB18DF68D49197AF3F5FB8830475642BDD916AB294DB34AD05CB90
            Function 039FFB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b539e061a57c3849a61cf01d832398537eaec1cb0b4834f47a25b15a0b899281
            • Instruction ID: 0be2e8efcbfdc062d454e52c92bf4a81fb3aa02edb58176bf32e98f40def061b
            • Opcode Fuzzy Hash: b539e061a57c3849a61cf01d832398537eaec1cb0b4834f47a25b15a0b899281
            • Instruction Fuzzy Hash: E631C136610215AFD714DF29CC44AABBBE9FF8C351B458568FA1ACB244DA74E901C790
            Function 0040DFF3 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: afdeb25f6c2fd5c08c065e5fc9e0460349bb14545ff257eb581502e852ad9c93
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: 323192116586F10ED30E836E08BD675AEC18E9720174EC2FEDADA6F2F3C0888418D3A5
            Function 039402E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: 2db284119b1cb4b6ed30c2a6f64bf56476d159362d2d91a92c2edcdfaaf79c32
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: 2F31E432A04244AFDB22DB68CC44F9AFFE9FF45350F0885A6E855DB351E6749844CBA0
            Function 03959274 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d96577ba42606b3313f8eda9593ca403ef4707af06e0ef7e3ca6b4180ceb0bec
            • Instruction ID: 3e1a13551f6da418bee47276341dd7d3ef0720a5f6a04367e35b55eaae4b6554
            • Opcode Fuzzy Hash: d96577ba42606b3313f8eda9593ca403ef4707af06e0ef7e3ca6b4180ceb0bec
            • Instruction Fuzzy Hash: 1C316575A00328EFEB25DB28CC40B9AB7B9EF85750F5501D9B94DAB280DB309E84CF51
            Function 03935702 Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8ced3ecc1210c374dc319b9e6f90f73e39878d2ac6804b0010ac66ade00401b3
            • Instruction ID: 57ab1c00eb46ef88a5df918fc68b8f621c651c4275c652f5e3264158cad4e4d9
            • Opcode Fuzzy Hash: 8ced3ecc1210c374dc319b9e6f90f73e39878d2ac6804b0010ac66ade00401b3
            • Instruction Fuzzy Hash: 6A31C075601A06EFDB51EB69CA80AAAF7A9FF8A754F040065E84647B50D770E820CBD0
            Function 03934260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 696413099eab6f6c1071c94ad240388cef612f7048bf896f9197916dd1af86ea
            • Instruction ID: ee3bbc8e1029d03ddcdc06304870035fcb925a92fd0ba46f275d22d5cae77f00
            • Opcode Fuzzy Hash: 696413099eab6f6c1071c94ad240388cef612f7048bf896f9197916dd1af86ea
            • Instruction Fuzzy Hash: E441B175200B45DFDB22CF69C981FDAB7E9AF4A354F05482AE9A98F350D774E800CB50
            Function 039550E4 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction ID: 21e41c1ac81412ab919af179673a5bed83bbd432190837ea97a5486fcadce64f
            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction Fuzzy Hash: 4131F9317083419FDB21DA28D800767FBDDAB86794F0E856AFC868B396D274D8C1C792
            Function 039F61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfc835da11c15a79ac57f59a7d9c2c14969d54d74fadbbe7ef29d8a3e714ab1a
            • Instruction ID: db392b800be53a77a2b3c88e9994523bfa1e47ba35c0ebf3565f1fbe3a8e3528
            • Opcode Fuzzy Hash: cfc835da11c15a79ac57f59a7d9c2c14969d54d74fadbbe7ef29d8a3e714ab1a
            • Instruction Fuzzy Hash: 6831A176A00219EFDB15DFA8C880FAEB7B9EB84740F454169E900EB284D774ED01CBA4
            Function 039F6BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3519758d484257f3ec4372f9da4562754f1594bbc8e578a833a75e5d986a6b01
            • Instruction ID: e6ac2e39aa22f2e74e30b585b1b017a0fb585435304371c56cfb2f4f32a7cf88
            • Opcode Fuzzy Hash: 3519758d484257f3ec4372f9da4562754f1594bbc8e578a833a75e5d986a6b01
            • Instruction Fuzzy Hash: 26316C716002049FCB24DF2ED885A9B7BF8FF8D340B858469EA18DF249D270E955CBA4
            Function 039F60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 529891b03ec17178661405d6d8f4cec97cc44f49a8fbff32d9a9b8293b1ab01e
            • Instruction ID: e898bcb712c397827a76ce4622a7b989edeae7eb0b89cfabb63aaf2c5efc2b15
            • Opcode Fuzzy Hash: 529891b03ec17178661405d6d8f4cec97cc44f49a8fbff32d9a9b8293b1ab01e
            • Instruction Fuzzy Hash: 6031E035B00315AFDB22EBA9C840F6FBBB9AB85354F1400A9E651DB381DA70DC008B90
            Function 039307AF Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b8fb31a68c0bd21de17806d5659e59b90da4535cf90a91efea54c4b01f70c93
            • Instruction ID: af2f81bd54ea1b14e724b8a0b1384ba4763b07dc3376da462025087c5be953db
            • Opcode Fuzzy Hash: 6b8fb31a68c0bd21de17806d5659e59b90da4535cf90a91efea54c4b01f70c93
            • Instruction Fuzzy Hash: C531C5B6E04715DBC711EE288890E6BBBA9EFC6750F054929FC569B310DA31DC1187D1
            Function 0392D6AA Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction ID: c21bc23889cb6c1a1597b2160d2da682b8860e86ab06e1c8c8d80b79052f09f5
            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction Fuzzy Hash: CE31C5B6600E24AFDB21DE58C880F6EBBBDDB84790F1D8469ED259B258D338DD44CB50
            Function 0042E913 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfa1a8370f2a756a22522422b03ee256f537c57a99f02cbe75a6cb198632c484
            • Instruction ID: 9bb0ed306f039881022f9c204aed7ff3235a5c7efe7ff2d64f10b779fa9549f5
            • Opcode Fuzzy Hash: dfa1a8370f2a756a22522422b03ee256f537c57a99f02cbe75a6cb198632c484
            • Instruction Fuzzy Hash: 9A31B1B2B10A265BD754CE3AD880656F7E1FB88350B54863AD919C3B40E774F9A1CBD0
            Function 039357C0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e2f467022d15ab260ec7ec9934bcb812933389fdbeeb3f6d4277d12a49c725b4
            • Instruction ID: 0d4316cf8682b1f4b16c524d7d3a546de8bfa3288c51403fdd9dea5460337ae4
            • Opcode Fuzzy Hash: e2f467022d15ab260ec7ec9934bcb812933389fdbeeb3f6d4277d12a49c725b4
            • Instruction Fuzzy Hash: 4531C379705A05FFDB51DB25DA40A69BBA9FF89340F045056E9118BB50C731E830CBC0
            Function 0396A6C7 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction ID: dbbbc6aacf88a0c491c1005973406ab0bc14e20aab66b94095cccf411786c19f
            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction Fuzzy Hash: 813127B2B01B00AFD760CF6DDE41B57B7FCBB48A90F08092DA59AD3650E630E900CB64
            Function 00403280 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1559362805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 17d9df94d10f5f82653e6bd88213afd766bb602f4dd90f010d24fbc3a2eb3d4e
            • Instruction ID: 5e322074218169e498b0ee261994b40f5ced1733398725c4dc1ff4aa226488ce
            • Opcode Fuzzy Hash: 17d9df94d10f5f82653e6bd88213afd766bb602f4dd90f010d24fbc3a2eb3d4e
            • Instruction Fuzzy Hash: DB31A272A10B148FD368CF6ED845613F7E5AB8C310B418B6EE85AD7B81D6B4E911CBC4
            Function 0395438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fa8d5c53b81715675b6d42a1227ea9c30ab67db3fb41f4166cfa2bebaa505e3e
            • Instruction ID: fc50d0f40f3ffb03e58b0b1cd47f2eb785d93b887b2366deceddd84db72b795a
            • Opcode Fuzzy Hash: fa8d5c53b81715675b6d42a1227ea9c30ab67db3fb41f4166cfa2bebaa505e3e
            • Instruction Fuzzy Hash: 0531C431B003059FDB60EFA9C980A6FB7F9EB84745F00852AE845DB254D730E9C5CB90
            Function 039392C5 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction ID: fd88c4d856093061e625952e0e129427184f222713c19b28dc85925c920e2f86
            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction Fuzzy Hash: B8317EB66083499FCB05DF18D840A5ABBE9FF89350F04096AF8919B3A1D730DD14CBA2
            Function 039EC3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: ac482ac57d051b11c0f9faa2e2b76794319a0387c7db9a4cbc19fb6c519f86cd
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: BC210B3F60075576CB16EBA58C40ABAF7B8EFC0610F40801AFDE68A691F634D950C760
            Function 0392C156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 38603c69c4015bad5bfc2de783e21c9a1d74baf24f1716a63958a06dfa0ca3b3
            • Instruction ID: 186cb75c7105b5512383037f47628e3ce9bdf67a0cf939edfce31d7c49809342
            • Opcode Fuzzy Hash: 38603c69c4015bad5bfc2de783e21c9a1d74baf24f1716a63958a06dfa0ca3b3
            • Instruction Fuzzy Hash: A931E8B55003108BC734FF28C841B69B7B8EFC1354F5885A9DC859F3C1EA749986CB90
            Function 0392E388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: f6c9162bee95dec2e18811bca55db2a96802c0f3afa8b4014961b20dde282136
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: 73318B35A00A14EFD725DF68C884F6ABBF9EF85354F1449A9E5528B294E730EE02CB50
            Function 03A003E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2c7ba0b2a60b7fa5cc2f56c477b7f71b14af29535865583746b33cfc599f29e2
            • Instruction ID: 257f284caaa7aa65a2f7b52f892feff2690589dfb9450f219ada66c03af39de7
            • Opcode Fuzzy Hash: 2c7ba0b2a60b7fa5cc2f56c477b7f71b14af29535865583746b33cfc599f29e2
            • Instruction Fuzzy Hash: 65316171A00119AFCB14DBA9D894FAFBBB9FB8C304F41416AE906E7240DB306D05CBA4
            Function 039AE609 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 800517555c8de8c4146a42e05ccb7d4b8ee7acef5310d0acb4efbb69d4cddd91
            • Instruction ID: 6c5adc0529ae0352faa8bcc2567f76beab29ba8f67db2dc6a103355d960ac79f
            • Opcode Fuzzy Hash: 800517555c8de8c4146a42e05ccb7d4b8ee7acef5310d0acb4efbb69d4cddd91
            • Instruction Fuzzy Hash: F3319F79A00606DFCB14EF1CC884DAEB7BAFF84304B154A59F8099B390E771EA41CB90
            Function 03933616 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 08d8485d181820efb287c0a7768d69a58cd82e907549ced1227272a4dcf078b4
            • Instruction ID: 03465ab687679965a8f1d869be39d2012d85344ca399967690fa7ccf875d2761
            • Opcode Fuzzy Hash: 08d8485d181820efb287c0a7768d69a58cd82e907549ced1227272a4dcf078b4
            • Instruction Fuzzy Hash: 6D210979285750AFCB71EF18C9C5B2ABBA9FF82B54F090969E8410B651C7B0DC44CB81
            Function 03A00591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f4752e5f52b153743d7c96b14b7d9b558010f3e78f46aa3722edb352280db3d
            • Instruction ID: ef061da7df53c76073458eb4568f53a424705a8c7a5c569450ef6bfc033d83e9
            • Opcode Fuzzy Hash: 2f4752e5f52b153743d7c96b14b7d9b558010f3e78f46aa3722edb352280db3d
            • Instruction Fuzzy Hash: 6321CE326002058FD728CF29E880BBAB3A6EBD4300F59847AE955CB285D774F845C750
            Function 0395F32A Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction ID: 2f3108a074b7cb65d42bb2e0ececcf492922559a05d2da433d91fd817715d004
            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction Fuzzy Hash: 7D219F72200300DFD719DF15C445B6ABBE9EF953A5F15816DF90B8B2A0EB70E841CB94
            Function 039B06F1 Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2ee1856c9e35ad6a5cd5fdab2fa8f15a942234af812e11baea2189701c01d32c
            • Instruction ID: aceda9996a59de6350558d11975a41c17ee8dcad066d4f27b3db02607bd1cafa
            • Opcode Fuzzy Hash: 2ee1856c9e35ad6a5cd5fdab2fa8f15a942234af812e11baea2189701c01d32c
            • Instruction Fuzzy Hash: A4218D75A00629ABCF20DF59C981ABFF7F8FF48740B550069E941AB250D778AD52CBA0
            Function 039B019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 068eaeae1394a98e5bbe2f1ce5d3f86b68032b425cd700a5d353669159216d5c
            • Instruction ID: 41e8dbec73f0be18f04361cabe82dfbed865382e2f25924a7b0e513108cee19b
            • Opcode Fuzzy Hash: 068eaeae1394a98e5bbe2f1ce5d3f86b68032b425cd700a5d353669159216d5c
            • Instruction Fuzzy Hash: A1219C75600644AFC715DBA9C984F6AB7B8FF88780F140169F944DB7A0D734ED50CBA8
            Function 03969660 Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6fdbcebce861d590b33858770321e91db5b9fefb8c2cfede2bd2011ae9e8574
            • Instruction ID: 03c9b5c6761f3ae6f6dfc1cd5d6a1b4fc6a2b2202e26e2a15aa23f34f1bc7af8
            • Opcode Fuzzy Hash: a6fdbcebce861d590b33858770321e91db5b9fefb8c2cfede2bd2011ae9e8574
            • Instruction Fuzzy Hash: C021F931206B15DFCB31FB2DC850B2677AAFB81264F144B5AE8928A5F0D731A841CB91
            Function 039B0283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9f9afc1704ae60c301afc01e83708721eae5f82071bbace311465c4cbffbfaee
            • Instruction ID: 045ca7fff82961806d46f7b72988fa7a59aec02d4845068eeb4feb239c36bf8f
            • Opcode Fuzzy Hash: 9f9afc1704ae60c301afc01e83708721eae5f82071bbace311465c4cbffbfaee
            • Instruction Fuzzy Hash: F9217F729043459BC711EF6ACA48F9BF7ECBFD1680F08445ABC908B251D734D959C6A2
            Function 03A001AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8bbe88ce4a2f8fdc64a34dc13e2a82161b9d198000586a41f5075a0b0e0d068d
            • Instruction ID: 5dfae9c7abbe8b9492fdfa3d0303a7319901e4f01a0272b3acbabb1f91d57d00
            • Opcode Fuzzy Hash: 8bbe88ce4a2f8fdc64a34dc13e2a82161b9d198000586a41f5075a0b0e0d068d
            • Instruction Fuzzy Hash: B021D6712042544FD745CB5A98F45B6BFE5EFCA225B1D82EAD984CB342C534D907C7A0
            Function 0396A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a53155208f0d7ba547960c7c6c49e00f35313935df639aee31333dbf0f447c0
            • Instruction ID: df6c7005e7a5c9a978060c8f5611a867b8564c8683143dfe24ddbfc248848ead
            • Opcode Fuzzy Hash: 4a53155208f0d7ba547960c7c6c49e00f35313935df639aee31333dbf0f447c0
            • Instruction Fuzzy Hash: D921AC79201B109FC724DF29C900F56B7F5EF88744F1885A8A909CB761E331E842CB94
            Function 0392B765 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b57a6ed866dfa59821fbf2e7315707650646c7df1acae6fee0b3375fd5d10b5d
            • Instruction ID: d349605dde0c085b0499c0616eb88ba767d96ad973bca5e410ff8e7753e0014b
            • Opcode Fuzzy Hash: b57a6ed866dfa59821fbf2e7315707650646c7df1acae6fee0b3375fd5d10b5d
            • Instruction Fuzzy Hash: 33215736111B10DFC725EF68C940F19BBF9FF58708F184969E40A9BAA1D734E811CB44
            Function 039FEE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40f1c64d163ae2c015a6e5f6a0abfb0fd5066219300c299bd5e2c26a2af0a51c
            • Instruction ID: e6110f5ee69155ed87a65db692afe16d9e2cdfa43e9e9aa7cbae3aa649354bd5
            • Opcode Fuzzy Hash: 40f1c64d163ae2c015a6e5f6a0abfb0fd5066219300c299bd5e2c26a2af0a51c
            • Instruction Fuzzy Hash: 7A21B433A104129F9B18CF3DD804466F7E6EFDC31436A427AD512DB268D770BD118A84
            Function 03960124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: cf2d0ee0fc3d36b938b577f10aab054bdba361ce3312ba8211d40573116be46c
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: 7C11DD76602708BFD722DA84CC80FABBBBCEB81794F160429E6008F290D675ED44CB60
            Function 03938770 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ada5afb13f2a9cb02927c18022452ac4fb72e199242d776e99a1156486aea623
            • Instruction ID: 5d7db3406f7f6936631f099a7da0f0ced2a684ca6e01883cfbbe55750d10f147
            • Opcode Fuzzy Hash: ada5afb13f2a9cb02927c18022452ac4fb72e199242d776e99a1156486aea623
            • Instruction Fuzzy Hash: D911BFB5705620EBCB11CF5DC4C0A6AB7EAEF8B790B198069FD09DF205D6B2E9058790
            Function 03933720 Relevance: .1, Instructions: 67COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7fa859bcc1e5f1bfbce390f074ba13db03abca186ef7b1acecbd5922274f55c8
            • Instruction ID: adc873e96017ec5385b709d9d40fe8263f61c5aac68e636a09c437ba1d2a233c
            • Opcode Fuzzy Hash: 7fa859bcc1e5f1bfbce390f074ba13db03abca186ef7b1acecbd5922274f55c8
            • Instruction Fuzzy Hash: 3921F9B8A002098BE725DF6DD0887EDB7B8FB8A318F2D8018D812572D0CBB89945CB51
            Function 039380E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 38cb2ebdc49e12d6f6b7e470db497694ba8e003434b42808230abfa5b476968e
            • Instruction ID: 35234398776605306c11da621a7835b8fd274ed43831cfbcd9136da1ac612838
            • Opcode Fuzzy Hash: 38cb2ebdc49e12d6f6b7e470db497694ba8e003434b42808230abfa5b476968e
            • Instruction Fuzzy Hash: 6B218175A04205DFCB14CF98C581A6EBBFAFB89314F24456DE505AB310D771AD0ACBD0
            Function 0396674D Relevance: .1, Instructions: 65COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 569507ddce46c0e6359b2709b4e9eeea2d78154511af399fd723c89b5277f2f9
            • Instruction ID: b4dd941deb1841ff4eadc231a6c1da973f10d750316ed4219b803ec4dfeb9967
            • Opcode Fuzzy Hash: 569507ddce46c0e6359b2709b4e9eeea2d78154511af399fd723c89b5277f2f9
            • Instruction Fuzzy Hash: 33215C75612B00EFC720DF79C881F66B3E8FF84250F44882EE49AC7650DA70AC50CBA0
            Function 03929240 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b8b7b6db33d521d2f730a912683e270c3b91c14050c00afa21d4238832808b12
            • Instruction ID: ae574efc92b8c62ef5ca433d9b0a54155561d757a9cc230c1e126e7edcff0a89
            • Opcode Fuzzy Hash: b8b7b6db33d521d2f730a912683e270c3b91c14050c00afa21d4238832808b12
            • Instruction Fuzzy Hash: 2D11083E011641EADB34FF5DD901A727BA8EBB5780F144025D8009B7A8D338DD02CF64
            Function 039666B0 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e3ec2665d31b3494e28c7abc45e6cc67d7a37589ea21162861940e6dd77d9527
            • Instruction ID: 9329532fc6626ad7dc9acd0aab121d83ab95520764c3a67280f190f7d955d073
            • Opcode Fuzzy Hash: e3ec2665d31b3494e28c7abc45e6cc67d7a37589ea21162861940e6dd77d9527
            • Instruction Fuzzy Hash: 45119E76A02344EFCB25DF5DD580E5ABBEDEF94690F098079E905AB310D670DD01CBA0
            Function 039FFF09 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: acd76bbb3036a72de16f99000f3a65dedf55cd10f457891ce2aa007966c3c554
            • Instruction ID: 0a36fa96dd5921021e2f371163f4d2bd75d27ec1742eccc4a642de8baa8364e7
            • Opcode Fuzzy Hash: acd76bbb3036a72de16f99000f3a65dedf55cd10f457891ce2aa007966c3c554
            • Instruction Fuzzy Hash: 4B2183B1A102059FD754DF2AE880B52BBE4FB4C310B8585BAE91CCF24AE370D844CF90
            Function 039527ED Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 45e7bdcbdff242d7c77e2a654b4f03dddb6534654511ae002cba154252f99e2a
            • Instruction ID: b9a33d8f688aaeb52faea9440d7161b044b146313179f5956e4ff5faebc184a5
            • Opcode Fuzzy Hash: 45e7bdcbdff242d7c77e2a654b4f03dddb6534654511ae002cba154252f99e2a
            • Instruction Fuzzy Hash: 8201C476605644ABE716E3AE9884F67A69CEF81394F090466F9408B650DA54DC00C2A1
            Function 0395B052 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05b1c116831a79e45ba84acbe2f0a7dab39257c8ad7f6387805720f01949690f
            • Instruction ID: 4398816b942e241b6d70527e4836f6cb7a3a57563e808bba7edee01aa8446947
            • Opcode Fuzzy Hash: 05b1c116831a79e45ba84acbe2f0a7dab39257c8ad7f6387805720f01949690f
            • Instruction Fuzzy Hash: F2019676B04744ABE711EB799C81F6BB7E8EFC4654F040429FA05D7141EA70E9418761
            Function 03934690 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 625de5c665d127dde2b5bb0bd60860d54d71a6e775f3d2ab297bb94471e2e9e5
            • Instruction ID: b605443f13d73c8d398487800ee413567bc2fb3b3f28d3addf79435bb474c358
            • Opcode Fuzzy Hash: 625de5c665d127dde2b5bb0bd60860d54d71a6e775f3d2ab297bb94471e2e9e5
            • Instruction Fuzzy Hash: 9611CEBA241744AFCB25CF5FD944F56B7A8EB87BA4F0A451AF8158B290C370E840CF60
            Function 039ED6F0 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
            • Instruction ID: d25ffc0326ab9feb5463fae89fcf3d4ce53291add195503a635f06b5d5703047
            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
            • Instruction Fuzzy Hash: 53016DBA700209AF9B05DBAACA44DAFBBBDEFC5A44F050059A915D7200E730FE01E760
            Function 03966620 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 299572a3455459d8223a23a05bb2d4b5b78462f1f108155d1165fd0fb70fde89
            • Instruction ID: 5ba6f6c668b6b3a43f14a42c9f728a90f7dc826e975bfa5793f8784e8a8c90cb
            • Opcode Fuzzy Hash: 299572a3455459d8223a23a05bb2d4b5b78462f1f108155d1165fd0fb70fde89
            • Instruction Fuzzy Hash: E411E576A01715ABCB21FF69D9C0F5EF7BCEF89780F550055D901AB200D730AD018BA0
            Function 03927330 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a6b2653a175e246d9f387029c8108c38a2cd6ed7c2b9d855db1e4274ed2a541
            • Instruction ID: e0130785f2cd6571a74d3c96ac5f057e98f96ff02b022a89162d17a960ffc6c2
            • Opcode Fuzzy Hash: 2a6b2653a175e246d9f387029c8108c38a2cd6ed7c2b9d855db1e4274ed2a541
            • Instruction Fuzzy Hash: 1E11AC71600B24AFD721CFA9D841FABBBE8EB44344F054829E985DB212E735EC01CBA1
            Function 0395F2D0 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5646deba2baba72d95aea89fcb0bbf4c5eeeb381086c900abbd19507feea71d6
            • Instruction ID: 2594b30ddb8ff887d528fc8e1ae6e4c5ceab22d012c1692ef45551753b129477
            • Opcode Fuzzy Hash: 5646deba2baba72d95aea89fcb0bbf4c5eeeb381086c900abbd19507feea71d6
            • Instruction Fuzzy Hash: 8C11C276600748DBD720DF69C884FAEB7ACFF84750F180466E941EB781D679D941C790
            Function 039C72A0 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction ID: 1c48cb64369b1930e1982a1c40d8847c396492e38d12cd3573a52793486bf84a
            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction Fuzzy Hash: 0A01D27A250605BFD711EF66CC80E62F76DFF843D1B444929F140465A0C731ECA0CAA4
            Function 0392A250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: b9fbe614e58ff69758181f1a6731684e9453949929b217bbbe3f79357f6b9776
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: BB01D672505B219BCB30CF55D840A36BFADEF457A0705896DFC958B694DB35D820CB60
            Function 03936259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf0721868fcb0471ba51c0bbe9aea4c60ddde8000f799c42797870a572a14d68
            • Instruction ID: 777b34a909557bef5cdeadc918a967a1a8fe7eb6f2f99e85dd226a8b395522c7
            • Opcode Fuzzy Hash: cf0721868fcb0471ba51c0bbe9aea4c60ddde8000f799c42797870a572a14d68
            • Instruction Fuzzy Hash: 32119A74601328ABDB25EB24CC82FE8B378EB45710F5045D4A318AA0E0DB709E81CF84
            Function 0393208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: 5f627dd4057bfb76f98ab3ebdcf343f1e6f8aaac2a62b5f9e061efd2aee9eaff
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: 080124776002108BDF10EB29E880BA6B76EBFC5740F1958A9ED868F245EA71C881C790
            Function 039720F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a70eb35f1f28ae96509b28cdfc8c910985ce2ea9abf13fbbfb4fcd1460a7e36b
            • Instruction ID: 1b44f1326ce54fe1485ee9d8bbb5aa9fcc2a8db87c7e35e20c946eb595e79ee5
            • Opcode Fuzzy Hash: a70eb35f1f28ae96509b28cdfc8c910985ce2ea9abf13fbbfb4fcd1460a7e36b
            • Instruction Fuzzy Hash: B6116935A0020CEBDB05EFA9C851EAF7BB9FB84240F004499E9019B290DA35EE11CB90
            Function 0392C020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: cd51825690a3115a448a9197604cea0e31512a9f726a6b005c474f9edaaee95f
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 4E01D836100B449FDF22EB66D940EABB7EDFFC5694F08481AA9468B584DE70F441CB50
            Function 03929353 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction ID: 70cce040b7fe19522e5340b481c2ee526cb06f0b2437a1ee2d699cf8a88c7bef
            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction Fuzzy Hash: 66115B32911F22DFD721DF15C880F22BBE8BF807A2F19886DD4994A5A9C375E891CB50
            Function 039533A5 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction ID: 494bc6021fe2018d5124d35fb1190b23c7d1285a04125b0d560c1260d2563109
            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction Fuzzy Hash: 7801863A700205B7CB12DE9ADD80F6FBB6C9F84681B154429BD15DB160EA30D981C760
            Function 0396D1D0 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction ID: 17b62bba43cf29dcb9be6e1601c66641ff5729e88fb43700995b713b9b781117
            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction Fuzzy Hash: 8F01247AB066049BDB10DA55E800F65B3ADABC6620F144156FA228F280CB34D800C781
            Function 0392826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 30b575c3698a97e0596b7e733923ab208f21f7559c9c0cf5b5758c70f96200fb
            • Instruction ID: 41ece995d808935a881d8b740f533aaf972fdd66a9e6f7a1d9ae121889a2619d
            • Opcode Fuzzy Hash: 30b575c3698a97e0596b7e733923ab208f21f7559c9c0cf5b5758c70f96200fb
            • Instruction Fuzzy Hash: 8001A735704A18EFC714EB69D9149AEBBBDEF81690B1940299902AB684EE30DD01C6A1
            Function 0394E016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: cd79874095b742072335ec3b03bbb895b58d3994e610575889f305d86c98c6dc
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: CC017872604A849FD322D71DC948F36B7ECFF85790F0D04A2E815CBAA2D768DC40C621
            Function 039EF367 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c9c446d1ff9013cf1785fc290536ea6fc07d0144459b48c7908bb1fa6c566f7
            • Instruction ID: 8b507fab80b14dfee56d49b1ab8133779dc2ef6b8e4c5e8d2cd1f6069bcb0176
            • Opcode Fuzzy Hash: 6c9c446d1ff9013cf1785fc290536ea6fc07d0144459b48c7908bb1fa6c566f7
            • Instruction Fuzzy Hash: AD018F75A10358EBDB10EBAAD845FAEBBB8EF84740F044066B501EB2C0D6B4D901CBA4
            Function 0395BBA0 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
            • Instruction ID: 9cc8cff8c61d969d93477d3813b5227aeb914abed086fc842183283187474864
            • Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
            • Instruction Fuzzy Hash: 49017177D00129DBCB28CF49C590BADB7A9EF44750F1900B9ED06A7340DB71AE40DB94
            Function 039F972B Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
            Function 03A05636 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e873b626d46dfb49c9b8ab1593fccbae8fb622ca6ddfd58fa5f8a7589cecf87
            • Instruction ID: 3fb358f09219fd9b1f6fd81b4310219dc694c0b33ac083c3e0d598050ad0ec2a
            • Opcode Fuzzy Hash: 1e873b626d46dfb49c9b8ab1593fccbae8fb622ca6ddfd58fa5f8a7589cecf87
            • Instruction Fuzzy Hash: 5C116D78D10249EBCB04DFA9D441AAEB7B4EF58304F14805AA814EB381D634DA02CBA5
            Function 0392C310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: 218e7acb1e3c7c952aa716f2dd4332a7981940c04b5db63fc9e0e82a80b691af
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: 64F0FC37244F329BD732DA594880F6FAD998FC5AE4F190435E1099F20CCA649C055AD0
            Function 03A05152 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f490df5845e526f0fcef1989e3f526b6242e27e05fb3de3811efab3c533dc278
            • Instruction ID: e69fac85dfd381481675c1032fa5e0d149ebb016a6b76791ca8a14e80e98858a
            • Opcode Fuzzy Hash: f490df5845e526f0fcef1989e3f526b6242e27e05fb3de3811efab3c533dc278
            • Instruction Fuzzy Hash: B9012175A10209ABDB00DF69D9419EEB7B8FF89300F14405AE500E7380D674DA018BA1
            Function 03A050D9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5c4ee800823114c0c43c8ba2fb00d74319068ebf4ad173c5d54df95243dea161
            • Instruction ID: 3d653c9a3c2ba0e197f992671b666b422cdeb6232efa452bfd7b0fc687652d9a
            • Opcode Fuzzy Hash: 5c4ee800823114c0c43c8ba2fb00d74319068ebf4ad173c5d54df95243dea161
            • Instruction Fuzzy Hash: CD012CB5A00309ABDB00DFA9E9819EEB7B8EF89300F54405AE500FB381D774A9018BA1
            Function 03A05060 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d5eca2defea4904c480d621ec6dc983de78d030adb68ed9ce3fafecffc1877e7
            • Instruction ID: 4ca87bff96ec19d159f0f0b28c56f9e6fc7d2258a33044af5fca057a6e1feb51
            • Opcode Fuzzy Hash: d5eca2defea4904c480d621ec6dc983de78d030adb68ed9ce3fafecffc1877e7
            • Instruction Fuzzy Hash: F0012C75A10309AFDB04DFA9D9819EEB7B8EF89300F14405AF901EB381D674EA018BA1
            Function 0395C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: eda665dd2bbaeb3c4f6567d020627447a6aa431d38802f7bfeec17ae40d51218
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: BFF0C2B3600610ABD324CF8DDC40E57F7EEDBC0A80F098128A905CB220EA31DD04CB90
            Function 03965734 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction ID: b615be4d94246ba2d1c667170609b1c75182ed04f630b6bd222902aebc031f36
            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction Fuzzy Hash: D4F0FF72A02214BFE319CF5CC840F6AF7EDEB46690F0A4079D500DB230E671DE04CA94
            Function 039EF78A Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 199652d0d7c75899834ccb6cd938d7323a0d8e14b4a248810a97afdca325aa42
            • Instruction ID: 2c50d58fe11a60991608edb6a8275f3f7a30d29dafd02c7e9d76770ac7997503
            • Opcode Fuzzy Hash: 199652d0d7c75899834ccb6cd938d7323a0d8e14b4a248810a97afdca325aa42
            • Instruction Fuzzy Hash: B2010075E007499FCB04DFA9D545AAEB7F4EF48344F10405AA855EB381E674DA00DB91
            Function 039EF2F8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 302403117a2e7c10bb31978eaaa9fa8e9acbee181b48bf5fc1f07f92a92c4e62
            • Instruction ID: 2cee98e312871f3c40e7c016b8737e778e99383525b5d1568e3a1ade74f1cd97
            • Opcode Fuzzy Hash: 302403117a2e7c10bb31978eaaa9fa8e9acbee181b48bf5fc1f07f92a92c4e62
            • Instruction Fuzzy Hash: 45F0C876B10348ABDB04DFB9C845EEEB7B8EF84750F008056E501EB2C0DA74D90187A1
            Function 03A061E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b5a3be17eea76bb82a432a404a311c9470907a60f3d3daa539a9a13c881c35b3
            • Instruction ID: bd4a76ca2edf73c3e3f0841921137b57265d5722328fa99a1103599d9efe845d
            • Opcode Fuzzy Hash: b5a3be17eea76bb82a432a404a311c9470907a60f3d3daa539a9a13c881c35b3
            • Instruction Fuzzy Hash: 77014F75E00259DBDB04DFA9E845AEEB7F8EF48314F14405AE501AB290D774EA01CBA5
            Function 0396724D Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction ID: 3e517814fa89b7d436cf01844658d9284c8f051c22c128d42754eda2e958df77
            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction Fuzzy Hash: 3AF09676A123556BEB14D7EA8940FABB7ACEFC4754F088596B9029B244DA30E940C750
            Function 03A053FC Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ebafae5631ee7662e9ea6422e2ec3bb28377484b92e5b9aecf883edf398e4086
            • Instruction ID: 36cc7a0bbadeb77c1b9e99a8c2268af48fb8ff8831e423defde3d3912bb3e865
            • Opcode Fuzzy Hash: ebafae5631ee7662e9ea6422e2ec3bb28377484b92e5b9aecf883edf398e4086
            • Instruction Fuzzy Hash: 16011A74E00209DFDB04DFA9D545B9EF7F4FF48300F14826AA519EB382EA749A418B91
            Function 0392C0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 958c1ec125c6e28c5f0c1330bce555450ac7a45a285b48435c5a95a58c230c60
            • Instruction ID: 66f395a96b20437855fc595abc965253b7d5daf3160dbec8b80a44da9bad5aab
            • Opcode Fuzzy Hash: 958c1ec125c6e28c5f0c1330bce555450ac7a45a285b48435c5a95a58c230c60
            • Instruction Fuzzy Hash: 58F024712047245FE310D6999C02B773ADEEBC07A0F29806AEB058F2C6EA70EC018B94
            Function 03A03749 Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction ID: 98f2166e1725c70f284de0626dc084ee41f060531e22228ea05f0bf60d567538
            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction Fuzzy Hash: E4F04FBA940304BFEB11EBA4CD41FDA77BCEB45710F100166A956DA1D0EA70AA44CB90
            Function 039D437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: fa207ecfbcfb893ececf2bfb93fa4873d259d55be1a118239663e5ca48f99916
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: 4BF0E935381B1247D736EA6F8521B2FE25D9FC0980B4D852C9801CFE40DF30D8008780
            Function 039EF3E6 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c37a6d626d043f80e985d566454a6515d403c66c226af7778ac06d1449071211
            • Instruction ID: 67e127ae1962bd6029a71c4ce46a417e06cadcb94410bc7246a703082e340ae0
            • Opcode Fuzzy Hash: c37a6d626d043f80e985d566454a6515d403c66c226af7778ac06d1449071211
            • Instruction Fuzzy Hash: 3CF04F75A01348EFCB04EFA9D545E9EB7F4EF48300F40406AB945EB381E674DA01CB55
            Function 039292FF Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d23890c2bd4b08385bb8a0d39dbd6ce31ba234d8fb700727d82a880ff7c18cb7
            • Instruction ID: a2a5a204c003286e674a65a969f122b6271508a51f412695c4f04d9ef8a2e6d9
            • Opcode Fuzzy Hash: d23890c2bd4b08385bb8a0d39dbd6ce31ba234d8fb700727d82a880ff7c18cb7
            • Instruction Fuzzy Hash: CBF0FA32200B40ABC731EB19CC04F9BBBEDEFC4B40F08012DE94283090C7A0A909C660
            Function 039347FB Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 17013b3d5f69a88417713f5641725e2533570c7c20174fd5fe827c091dc67b26
            • Instruction ID: 408a777a8ce0456cb8d122c880ca431994f8ac2aca0256ad89ce00d64c1adbf3
            • Opcode Fuzzy Hash: 17013b3d5f69a88417713f5641725e2533570c7c20174fd5fe827c091dc67b26
            • Instruction Fuzzy Hash: 76F0BEB99127E09FD732CB6BC554B62B7ECDB027A0F0E89AAD48987641C724D881CE50
            Function 039EF6C7 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f6cc7f9f6695f31b5d300a8a057fda339083579d326263d054d4177c674c40e6
            • Instruction ID: 2f3b79c80ae194cbfc2831f3f7fcfa489640bd0f08633b315177f291f96ce994
            • Opcode Fuzzy Hash: f6cc7f9f6695f31b5d300a8a057fda339083579d326263d054d4177c674c40e6
            • Instruction Fuzzy Hash: CFF06D79A10348EBDB04EFA9D845EAEB7F4EF48304F044069E501EB281E674D901CB54
            Function 039F0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: efe89ccf2a527b579ea28018f8e680c2563bfa667b4bff602584b026372525aa
            • Instruction ID: e23366de73b139a81b22d321d1a129d08562371107384da97f8b989d32e7b8a1
            • Opcode Fuzzy Hash: efe89ccf2a527b579ea28018f8e680c2563bfa667b4bff602584b026372525aa
            • Instruction Fuzzy Hash: E4F0273A5177C04ECF32FB2C64502A2AF5CD792150F1D1485C5B15B306C9B88483C720
            Function 03A0539D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24ff48e83faaf8da4a4bfd8b86bd889f63c34da8456c17a38f400369486fa740
            • Instruction ID: d4445c7149c1f2fd8df2c40718581b1e84e444037f876c742005ada06a9981d7
            • Opcode Fuzzy Hash: 24ff48e83faaf8da4a4bfd8b86bd889f63c34da8456c17a38f400369486fa740
            • Instruction Fuzzy Hash: 5BF05E74A1434CAFDB04EBB9E555EAEB7B4EF48304F148059E501EB2C1DA74D901CF65
            Function 03A05283 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c17f3bca1d2df93c47fa754022c5ff85a7cf4413ca67b52f761679a3e5f5ad4
            • Instruction ID: fd924301fef02213e6c3f6b24b43babaf05394c72650678f2afb5e59ee42bf5e
            • Opcode Fuzzy Hash: 8c17f3bca1d2df93c47fa754022c5ff85a7cf4413ca67b52f761679a3e5f5ad4
            • Instruction Fuzzy Hash: 2BF05E78A14348EBDB08EBB9E945EAEB7B4FF48300F444459A541EB2C1EA74D9018B55
            Function 03A052E2 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 04f5eb9d9efec66fb79ffeb93c649b8f22b3d57d82b1ae292cae2a8383859451
            • Instruction ID: 32e313526d08f64d597e64805b331fe6cac0cbb73f75394ad23ccfb466d07250
            • Opcode Fuzzy Hash: 04f5eb9d9efec66fb79ffeb93c649b8f22b3d57d82b1ae292cae2a8383859451
            • Instruction Fuzzy Hash: C7F0BE74A10348ABDB04EFB9E951EAEB3B4EF44300F044059A401EB2C1EA74D900CB55
            Function 03972619 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction ID: e9902991ed465e229eea907d5437fea44e78df30475c8728216cbc7f12eec7eb
            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction Fuzzy Hash: 8DE092723106006BD721EF59CC84F47776EEFC2B10F05047AB5045E291CAE29C0982A4
            Function 03A05341 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c19560f884be1997de80c623b42812dd6e36eb0e989cfda4e094883a10a99640
            • Instruction ID: ea842c79c7c0ffd42aaca4077b097fcec7f99803c8fa45171c874b01d7d819ad
            • Opcode Fuzzy Hash: c19560f884be1997de80c623b42812dd6e36eb0e989cfda4e094883a10a99640
            • Instruction Fuzzy Hash: 3FF0A774E0434CEBDB04EBB9E995E9EB7B4EF49304F540059E501EB2D1EA74D9008B15
            Function 03A05227 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e7b3f462912d1bf10197cc7b83a8f3105da932c69513ccd02604cad676009649
            • Instruction ID: 0b3e2f5ffa9be190eafcd4aab38ea20130ed9bafaa27e9943e043a445c0497c0
            • Opcode Fuzzy Hash: e7b3f462912d1bf10197cc7b83a8f3105da932c69513ccd02604cad676009649
            • Instruction Fuzzy Hash: F8F0A774E14348EBDB14EBB9E945EAEB3B8EF48704F040459B901EF2C1EA74D901CB55
            Function 03967208 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7244dc3722c2c4fa75c37c44a2ca3550b1c58b5687c095dafcd11d8a48c62384
            • Instruction ID: e1deddb8385c0002a06ba3299caaa95d9d6257abb2210a3f8d895ff38fd568bb
            • Opcode Fuzzy Hash: 7244dc3722c2c4fa75c37c44a2ca3550b1c58b5687c095dafcd11d8a48c62384
            • Instruction Fuzzy Hash: B1F0EC71919A849FC722C32EC184B22B3DD9F00BB0F0CA6A1D4098F701CBA8C880C2D0
            Function 03A051CB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c52f6fbcabecc321a8019b99e0df079b78d814a9173569d4f806cfef61540b3
            • Instruction ID: b542129b1dd7108467b22020faa39c1309ef48922a8064acb25baaac376d1308
            • Opcode Fuzzy Hash: 7c52f6fbcabecc321a8019b99e0df079b78d814a9173569d4f806cfef61540b3
            • Instruction Fuzzy Hash: 39F08274A14248EBDB04EBB9E946E6EB3F4EF48304F040059A901EB2C1EA74E901CB55
            Function 039EF72E Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec4073a7e334f180ec989ab6161177ad405ff30ec528492402594a688291e17
            • Instruction ID: 20a6efaf05f8073bb52bc44e58dc84e7072ab34d0ff4303d2844ad09d6d9331c
            • Opcode Fuzzy Hash: dec4073a7e334f180ec989ab6161177ad405ff30ec528492402594a688291e17
            • Instruction Fuzzy Hash: 7EF02775A00348EBDB04EBB9C546E9E77B8EF48700F050055E102EF2C0D974D9019714
            Function 03930710 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction ID: f3251e9eeefcfa514e43a1bb1bd926c10378e80b6a92d437d48706a2b610cbd0
            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction Fuzzy Hash: 5DF0ED7E6043449BDB16DF1AC490AA57BA8EB823A0B0404D4E8438B300EB31EA82CB80
            Function 03A037B6 Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction ID: 00a79eec8145da876c0dd153577db8f58a8a004f714f681a75f283033f26e6b3
            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction Fuzzy Hash: 15E09276220200BFEB64DB58DD45FE673ECEB41721F180259B515970D0DBB0BE40CB60
            Function 039EB3D0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction ID: dbde6d85ab2f1990e6eb753270ba1249170731eeb7f06dc6c0d96508a56d955d
            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction Fuzzy Hash: BDE0CD35245714B7DB23AA50CC00F797B19DB807D1F104031FA085E650C571AC51D6D4
            Function 0392823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: ebbf5d91f2a2e73ef3d80ab9f1a4ef62033345ef74b4bd4155e70748a4fbc11c
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: F7E08C36119A20EEDB31EF21DC04F527AA9FB84B90F144D69E0820A4A88770A895DA44
            Function 039B92BC Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ddc97a6d4c0b62d5fa665e3ca85d018abde7ef9b1c164367ff375b63509416c
            • Instruction ID: 4bd185ae4aa78c552d575a83cb906366a4ba4ee8fc901fdf6f1563f8e78ffb71
            • Opcode Fuzzy Hash: 9ddc97a6d4c0b62d5fa665e3ca85d018abde7ef9b1c164367ff375b63509416c
            • Instruction Fuzzy Hash: CFF0ED34651B84CFE72ADF08C2E1B6573B9F755B40F500458D4464BBA1C73AD942CB40
            Function 03932050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3179c9eee1ff1b3d4f08a25af1d1738899712368b355a203d1ddd94119b29959
            • Instruction ID: 54ddf7298e1fc3cdf59d2b5b80c11e2bcd9f51df5d0bd50bd12d6e6e72a2b6e8
            • Opcode Fuzzy Hash: 3179c9eee1ff1b3d4f08a25af1d1738899712368b355a203d1ddd94119b29959
            • Instruction Fuzzy Hash: D4E0C2722006506BC321FB6DDD40F5A739EEFE5760F014221F5508B6A0CA64AC01C794
            Function 0392A0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: a07b280a826ff690dfc3d69b2b3a991636511f68b2ec40ce240425100f63d04a
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: C6D0223332743093CB28E6606800F63AD099BC1AA0F0A002C380AD3804C8048C42C2E0
            Function 039402A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: 01c211389d8f15884f74310b98c195c738ac434eb5b5d3ef4d76e55a59295cb9
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: CBD0C935212E80CFD61BCF0DC5A4F16B3B8BB44B84F8508D0E501CBB61E66CD940CE00
            Function 039B930B Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction ID: 8f8cabb126949031220ea351db36d2bd67d05ef54bce6800117ad94076706970
            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction Fuzzy Hash: B6D05E35955AC4CFE727CB08C265B907BF8F705B80F890098E04247BA2C37C9984CB10
            Function 0396C700 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction ID: e848e582d9469e0aefd3349fa095945b3c330b908d49f0d93ee56c8967e4f165
            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction Fuzzy Hash: B6C0123A2A0648AFC712EAA8CD41F027BA9EB98B40F004021F6048B670C631E820EA84
            Function 03950310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: 5d6c1f69cbfbbc757aff9da9ca9eef3d5686953f7d311a94a4480a3eed9e03b0
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: B9D01236100248EFCB01DF41C890D9A772AFBD8710F148019FD190B7108A31ED62DB50
            Function 03930750 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction ID: abb8464132584bf38cdc052815575c69843b603ac24b0285d6af11df8a6ec665
            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction Fuzzy Hash: D7C0487AB01A418FCF15EB2AD2E4F5977E8FB84780F1908D0E805CBB21E624E811CA10
            Function 03974340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bfef6a617e30c74efdf163aec9f0e75d522a20afc1ebd8e429cf0f9263a7921e
            • Instruction ID: 64b7a05ba77a728ed28f30ba41ad2ce6a5c0d11ee0d3640f1e89f97a4d881790
            • Opcode Fuzzy Hash: bfef6a617e30c74efdf163aec9f0e75d522a20afc1ebd8e429cf0f9263a7921e
            • Instruction Fuzzy Hash: DF90023160990412A140B25848C8586404A97E0301B95C011E0424558C8B148A565371
            Function 03973090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 81dcf9648b2073fa5004d1afc2f6b01861d6d24c6baea9284a0fea86c14da103
            • Instruction ID: 20cb59a19c79fe41f465ce284e7c01eef368949a6cbe34f1fe1453aa8a9b28e7
            • Opcode Fuzzy Hash: 81dcf9648b2073fa5004d1afc2f6b01861d6d24c6baea9284a0fea86c14da103
            • Instruction Fuzzy Hash: A090022124550C02E140B2588458747004BC7D0701F95C011A0024558D87168A6566B1
            Function 03973010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a7be15a1047cd50b49450e12ca60464ac1b9cee26f9b7b73ff1dfc52cbf4da0c
            • Instruction ID: 2c504cf418794a66b95a8d91223d208fdf18cec99f486a84891055a16d70d8a6
            • Opcode Fuzzy Hash: a7be15a1047cd50b49450e12ca60464ac1b9cee26f9b7b73ff1dfc52cbf4da0c
            • Instruction Fuzzy Hash: 7590022120594842E140B3584848B4F414A87E1302FD5C019A4156558CCA1589555731
            Function 03974650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b8830771cf12cd593b68d297b98250bfc0fa31c753ad32944f227c0832d4912
            • Instruction ID: 9540c71a787de461ea2939e32eea642f0bcb5b8bac4979f14342257bc86ed131
            • Opcode Fuzzy Hash: 2b8830771cf12cd593b68d297b98250bfc0fa31c753ad32944f227c0832d4912
            • Instruction Fuzzy Hash: B9900261605604425140B2584848446604A97E13013D5C115A0554564C871889559279
            Function 03972B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f3b38d14f3dd4c676331c991373039750496e47e105fa848cae25fa2321b6840
            • Instruction ID: 23ff9a585550f743914a312470370a883b788f404a20f49a9a0357902cc0ef2c
            • Opcode Fuzzy Hash: f3b38d14f3dd4c676331c991373039750496e47e105fa848cae25fa2321b6840
            • Instruction Fuzzy Hash: C090023120550C02E104B25848486C6004A87D0301F95C011A6024659E976589917131
            Function 03972BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 87772aebe367d34bbfb5d85d2b3deba5297fa3b6d8eae62fbdca72811ae51d96
            • Instruction ID: 4aed961e866bfdcc8932dd2bd1d1486fd2c76bd970af9b5f01fc1165775f6590
            • Opcode Fuzzy Hash: 87772aebe367d34bbfb5d85d2b3deba5297fa3b6d8eae62fbdca72811ae51d96
            • Instruction Fuzzy Hash: DF90023160950C02E150B2584458786004A87D0301F95C011A0024658D87558B5576B1
            Function 03972BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 004eec93f0a8694125f4a90d0dfc5e7b2acfdcb5a7a40fbee1d355632141ed17
            • Instruction ID: f62c5b07a0b88018d2111741179f124ba8bf904865550aba03347b3bea8e6e37
            • Opcode Fuzzy Hash: 004eec93f0a8694125f4a90d0dfc5e7b2acfdcb5a7a40fbee1d355632141ed17
            • Instruction Fuzzy Hash: 2A90023120550C02E180B258444868A004A87D1301FD5C015A0025658DCB158B5977B1
            Function 03972BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b79d267fba61ed2a3a76de1f06848c9f53b471c0c169da7d9208ba7fd67cb507
            • Instruction ID: e1a216cad5e38ab07a3c9d61ee077d09f00b7cbed70b275f4b0f60c9f9528a28
            • Opcode Fuzzy Hash: b79d267fba61ed2a3a76de1f06848c9f53b471c0c169da7d9208ba7fd67cb507
            • Instruction Fuzzy Hash: 9990023120954C42E140B2584448A86005A87D0305F95C011A0064698D97258E55B671
            Function 03972AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b649e651de760a17872288a388c65dcd3ff6e26605205e570c3b27d04260f39
            • Instruction ID: f38ddb1620cd1e010656f5b98f54c3ce3c1a9764a54e18cbbac2af6eaa2bc4a1
            • Opcode Fuzzy Hash: 5b649e651de760a17872288a388c65dcd3ff6e26605205e570c3b27d04260f39
            • Instruction Fuzzy Hash: AF9002A1205644925500F3588448B4A454A87E0301B95C016E1054564CC62589519135
            Function 03972AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d668cf09a035db5c8a72c2c82886d4b87f0084ae7a3bba286baf092e783bab1c
            • Instruction ID: adb99fc8f45aa57eedfb9f0a92d1a8b293d3144c5d1b13d7b4402bf35909f2fa
            • Opcode Fuzzy Hash: d668cf09a035db5c8a72c2c82886d4b87f0084ae7a3bba286baf092e783bab1c
            • Instruction Fuzzy Hash: FC900435315504031105F75C074C54700CFC7D53513D5C031F1015554CD731CD715131
            Function 03972AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1572b119a3e948c671138da02f7b798fbc9d939a6271445009605c11f87eb383
            • Instruction ID: b5dd1b552863b63bd8a2021f343ce642ee1ba1a4ef709c1d1fa53dfb84de5e07
            • Opcode Fuzzy Hash: 1572b119a3e948c671138da02f7b798fbc9d939a6271445009605c11f87eb383
            • Instruction Fuzzy Hash: 20900225225504021145F658064854B048A97D63513D5C015F1416594CC72189655331
            Function 039739B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02ea8b1f0b6c40a4473c0c9bd74c65efbc07c159fdce495d95fc8134eade0872
            • Instruction ID: 38cab9ec12d30770bc0dad6bb3505dc0e1f79e4c4abef54ec5e443f2dcda5ef4
            • Opcode Fuzzy Hash: 02ea8b1f0b6c40a4473c0c9bd74c65efbc07c159fdce495d95fc8134eade0872
            • Instruction Fuzzy Hash: 4290022124955502E150B25C4448656404AA7E0301F95C021A0814598D865589556231
            Function 03972F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4a9bb2577faaed95eec2b2baa7d8a1a72b81f44927d5decfc76f4030dbb85f4
            • Instruction ID: 1d7aaee6baea2d6fa79368ec984e30458b99bb5373c78ceb3e03c78112115ce4
            • Opcode Fuzzy Hash: d4a9bb2577faaed95eec2b2baa7d8a1a72b81f44927d5decfc76f4030dbb85f4
            • Instruction Fuzzy Hash: A690023120590802E100B258485874B004A87D0302F95C011A1164559D872589516571
            Function 03972FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6a714b10256ad1cb3bd39a09f90b54136ec5d832cc5b26079ce3570a02a52181
            • Instruction ID: 61efd2fcec38f6e5a69867799fe8051f41270a600935306817272fa88ed72a75
            • Opcode Fuzzy Hash: 6a714b10256ad1cb3bd39a09f90b54136ec5d832cc5b26079ce3570a02a52181
            • Instruction Fuzzy Hash: F0900221605504425140B2688888946404AABE1311795C121A0998554D865989655675
            Function 03972FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f103b3b10484ffebfa8415f1e6ae97ce4bd95df7be0ea82eda43729bdafcce74
            • Instruction ID: 4a6557e3d307ab1fbb07f4d19b8496ed071b6fa0e4ff9f96fa79da1d0d1f5e8e
            • Opcode Fuzzy Hash: f103b3b10484ffebfa8415f1e6ae97ce4bd95df7be0ea82eda43729bdafcce74
            • Instruction Fuzzy Hash: C990023120590802E100B258484C787004A87D0302F95C011A5164559E8765C9916531
            Function 03972FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8b5718eaede12823789ac2ad9214ad8a8b6e6fece62521c39a340a1235d8e556
            • Instruction ID: 7f775aff76a974c5ffde33df1fd0baf94527462dcb3243b75e412f37ace4729b
            • Opcode Fuzzy Hash: 8b5718eaede12823789ac2ad9214ad8a8b6e6fece62521c39a340a1235d8e556
            • Instruction Fuzzy Hash: 52900221215D0442E200B6684C58B47004A87D0303F95C115A0154558CCA1589615531
            Function 03972F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95f4d298b0b30621c673223f8a7c149b993cd9f54851ee77aa459d68a21b5c68
            • Instruction ID: e325b7481f5f28cd7f25a85e73b7d09a766a080c03632fafba9ff67dfbd2794b
            • Opcode Fuzzy Hash: 95f4d298b0b30621c673223f8a7c149b993cd9f54851ee77aa459d68a21b5c68
            • Instruction Fuzzy Hash: D590026134550842E100B2584458B46004AC7E1301F95C015E1064558D8719CD526136
            Function 03972F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d14cf0436bedc986c8f4306ecd22892478c3a4f938647908e7ee3a06e1446ff
            • Instruction ID: fdfc167135ec0c65a80753b5d51a3e89dbbc0e5ac64ba77d59b387e7d60049d2
            • Opcode Fuzzy Hash: 9d14cf0436bedc986c8f4306ecd22892478c3a4f938647908e7ee3a06e1446ff
            • Instruction Fuzzy Hash: F690026121550442E104B2584448746008A87E1301F95C012A2154558CC6298D615135
            Function 03972E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f94f65f5ad6dbc95e8d5e3c14445ead13952b058935fa9d4a1eaef0da3a9f40
            • Instruction ID: 4a4b25494f7f265dcd42d4e544c2324c28b43d0e3c6291cc2cbd5ccb531573ad
            • Opcode Fuzzy Hash: 8f94f65f5ad6dbc95e8d5e3c14445ead13952b058935fa9d4a1eaef0da3a9f40
            • Instruction Fuzzy Hash: 1690022160550902E101B2584448656004F87D0341FD5C022A1024559ECB258A92A131
            Function 03972EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b43fefa9a9d982cb46cb6af2f46b57648f8464011e6c2baeaff2b24a65d687c
            • Instruction ID: e915cbb142451198712edc535771688234b22f00448c8fd5dcbf504aeeccf0e9
            • Opcode Fuzzy Hash: 6b43fefa9a9d982cb46cb6af2f46b57648f8464011e6c2baeaff2b24a65d687c
            • Instruction Fuzzy Hash: 4390027120550802E140B2584448786004A87D0301F95C011A5064558E87598ED56675
            Function 03972EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 06a9907f2e34dca8e9f7c64ce91ecb76a955f8e35f7d70fafbc17d63ba2e0690
            • Instruction ID: 4c07a10d56c986793d01283839c6580f6629ae05d173fd9525910b980de0b80a
            • Opcode Fuzzy Hash: 06a9907f2e34dca8e9f7c64ce91ecb76a955f8e35f7d70fafbc17d63ba2e0690
            • Instruction Fuzzy Hash: 2190026120590803E140B6584848647004A87D0302F95C011A2064559E8B298D516135
            Function 03972E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c0555722962e88ee2550b432fa0aead8a9ddb5f8e40e4a476d07ec4bd5aea1a
            • Instruction ID: 6fd2fec7f8da068cf90ae630f0cac44629455367e7f410f0ed058367a7de201e
            • Opcode Fuzzy Hash: 8c0555722962e88ee2550b432fa0aead8a9ddb5f8e40e4a476d07ec4bd5aea1a
            • Instruction Fuzzy Hash: C790022130550802E102B2584458646004EC7D1345FD5C012E1424559D87258A53A132
            Function 03972DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4d7cf051e3d2e9cb1bbde7456ce81eb693e306769615e4f033c0ea669dda008
            • Instruction ID: 6e4c8f9c57da3bd3043566aa5cd2ae018c837df944db526e9aa2bf045f5a2ab4
            • Opcode Fuzzy Hash: d4d7cf051e3d2e9cb1bbde7456ce81eb693e306769615e4f033c0ea669dda008
            • Instruction Fuzzy Hash: F390023124550802E141B2584448646004E97D0341FD5C012A0424558E87558B56AA71
            Function 03972DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b5d7871dc149f7014d8cc32d1dd3dea09056bb1c0f2118ce3329cfa7eaee9d79
            • Instruction ID: 0e63b70ddc8304ee86de8dc42e0c5c4e0210e5b7fc723ae4c1046da3827757be
            • Opcode Fuzzy Hash: b5d7871dc149f7014d8cc32d1dd3dea09056bb1c0f2118ce3329cfa7eaee9d79
            • Instruction Fuzzy Hash: 21900221246545526545F2584448547404B97E03417D5C012A1414954C86269956D631
            Function 03972D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d82ea3ee4836084abaf96c62bd2344389e848f6a4b89052e020f19c48b39503d
            • Instruction ID: 9d57fe21c6276fe9e1bb480e8660b23cd767c6610d47b21ca159a3acb5d6a896
            • Opcode Fuzzy Hash: d82ea3ee4836084abaf96c62bd2344389e848f6a4b89052e020f19c48b39503d
            • Instruction Fuzzy Hash: 6690022921750402E180B258544C64A004A87D1302FD5D415A001555CCCA1589695331
            Function 03973D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 01e31e4cf3e37e1f295919853faa3bdf12a8b64f9824f548990f53a1556c7b42
            • Instruction ID: 69754b87246a922fcf14288c22fa446c66c1486a9f54ebe868cb14f8a83979e6
            • Opcode Fuzzy Hash: 01e31e4cf3e37e1f295919853faa3bdf12a8b64f9824f548990f53a1556c7b42
            • Instruction Fuzzy Hash: 4990023120650542A540B3585848A8E414A87E1302BD5D415A0015558CCA1489615231
            Function 03972D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 58e79fc85f082d016413e8c1746fc011432d3206fb1443d7a42a9cac8bdd8497
            • Instruction ID: 0085f2e80dc21cde18468b645d15c10e102525686564e9e724d05db75cd09fae
            • Opcode Fuzzy Hash: 58e79fc85f082d016413e8c1746fc011432d3206fb1443d7a42a9cac8bdd8497
            • Instruction Fuzzy Hash: 4590022120954842E100B658544CA46004A87D0305F95D011A1064599DC7358951A131
            Function 03972D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c575f69e45e99ab4aa5e4126336549423480d846eb7889786f1c6345e9e9af64
            • Instruction ID: 03641bb45ee6304e0d4e7be104382a81604ee7442b0557b84fb4e8d065a07af5
            • Opcode Fuzzy Hash: c575f69e45e99ab4aa5e4126336549423480d846eb7889786f1c6345e9e9af64
            • Instruction Fuzzy Hash: 7890022130550403E140B258545C646404AD7E1301F95D011E0414558CDA1589565232
            Function 03973D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 324624ff5ee28ee2d711c434be8a8b8d4ccef8edb990060d91518f307b70d7d1
            • Instruction ID: 6aea1bf85b4f8c4c1aa26b467e14fd5f380ac8e045daf46e1f4dc6e04d2127ec
            • Opcode Fuzzy Hash: 324624ff5ee28ee2d711c434be8a8b8d4ccef8edb990060d91518f307b70d7d1
            • Instruction Fuzzy Hash: 2290023520550802E510B2585848686008B87D0301F95D411A042455CD875489A1A131
            Function 03972CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f4455f6c8eb46c980e967e384b032d25aa2a056074ee2c1bfd9e75059d752386
            • Instruction ID: 0c7c13ae56aebe7c0bc3ea61432f33c2985132e94cb159e2f3bb3b622aa604a3
            • Opcode Fuzzy Hash: f4455f6c8eb46c980e967e384b032d25aa2a056074ee2c1bfd9e75059d752386
            • Instruction Fuzzy Hash: D690023120550802E100B698544C686004A87E0301F95D011A5024559EC76589916131
            Function 03972CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b768adaacb61e6ee12988c8011c9bc131e56138377cca3bc86fc0297a99fb495
            • Instruction ID: 81ba0678d2ba8e28d51f5bc329386b975728f9ed76aa8e86532cae10508896f2
            • Opcode Fuzzy Hash: b768adaacb61e6ee12988c8011c9bc131e56138377cca3bc86fc0297a99fb495
            • Instruction Fuzzy Hash: 1090022160950802E140B258545C746005A87D0301F95D011A0024558DC7598B5566B1
            Function 03972CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1bdcec2d9d3888909aea586d082ca4a02e176df22da3df5e606ad8e60d79f161
            • Instruction ID: 0b92f4c1778a9a71eec373cf420f916ac88f02cc89879f2f0b371ab5b423740c
            • Opcode Fuzzy Hash: 1bdcec2d9d3888909aea586d082ca4a02e176df22da3df5e606ad8e60d79f161
            • Instruction Fuzzy Hash: 9790023120550803E100B258554C747004A87D0301F95D411A042455CDD75689516131
            Function 03972C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2d6d3ebc716c01ff8dd22534e6ee3fd6154e69be3fe1ea45ae176348ab4df8b
            • Instruction ID: e7cb9acc1aac29f0d67702531b45ef01e4d6291c9aeab829bca3b13e30d5e72c
            • Opcode Fuzzy Hash: b2d6d3ebc716c01ff8dd22534e6ee3fd6154e69be3fe1ea45ae176348ab4df8b
            • Instruction Fuzzy Hash: 9590023120558C02E110B258844878A004A87D0301F99C411A442465CD879589917131
            Function 03972C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14139a6257cac475446177e43794c411a29768ecddc1199d4e27bee11567b228
            • Instruction ID: f52669277373218222791313e56ca262f79b81aad2e2bebcd5bb93cb05d2bb03
            • Opcode Fuzzy Hash: 14139a6257cac475446177e43794c411a29768ecddc1199d4e27bee11567b228
            • Instruction Fuzzy Hash: C390023120550C42E100B2584448B86004A87E0301F95C016A0124658D8715C9517531
            Function 03972C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: 1d68b5376d7de6f81baa80a78bf1609d016fbde4c99cb6f5da5139f3d6544bb7
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 03972890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 1e8502c7aa9bce0ac5c9c84665d1bd4603f5bc17b6a9ad71cb1e9c9127a4ab0e
            • Instruction ID: 2be8e7a4728a0517dc27dc12c3131d6ad7d74a0cf4c4abac081bd9629f13e135
            • Opcode Fuzzy Hash: 1e8502c7aa9bce0ac5c9c84665d1bd4603f5bc17b6a9ad71cb1e9c9127a4ab0e
            • Instruction Fuzzy Hash: 4D51C8B5A14616BFCB10DF9C899097EF7BCBB48240B188669E4A5D7681E334DE44CBE0
            Function 03967630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • ExecuteOptions, xrefs: 039A46A0
            • Execute=1, xrefs: 039A4713
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 039A4742
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 039A4725
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 039A46FC
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 039A4787
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 039A4655
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: 0eba25808b7675d4affd3c477042ab0e9690c6d10f089c51d00343ded6c62b7e
            • Instruction ID: 706b4188ed24bd6d31b34c18e8734e26b4f3857caae0e1f55d017d2aa7cb7e0c
            • Opcode Fuzzy Hash: 0eba25808b7675d4affd3c477042ab0e9690c6d10f089c51d00343ded6c62b7e
            • Instruction Fuzzy Hash: AE510535A013197ADF20EBEDDC89FAE73BCEF44348F0805A9D505AB291E7719A418F61
            Function 0397B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction ID: 5bb0d9f9e47dcd396d463e0c483d140d41c0bde8ec97799b4a8a814b5510392c
            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction Fuzzy Hash: 3E81D170E052499EDF24DE6CC8917FEBBB9AF853A0F1C465AD861AB7D0C7349840CB50
            Function 0395F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039A02BD
            • RTL: Re-Waiting, xrefs: 039A031E
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039A02E7
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 67565848433a9334151fe346fec471621fbfb9fcd574f8f7e5e9cf4f53612318
            • Instruction ID: f1e781f7e13b8e83a3193c3ea7925068890f967ae6e95013f1f6dd33e747fd48
            • Opcode Fuzzy Hash: 67565848433a9334151fe346fec471621fbfb9fcd574f8f7e5e9cf4f53612318
            • Instruction Fuzzy Hash: 0BE1AE31604B41DFD724CF28C884B2AB7E8BB84364F180A5DF9A68B3D1D774D985CB82
            Function 0396BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Resource at %p, xrefs: 039A7B8E
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 039A7B7F
            • RTL: Re-Waiting, xrefs: 039A7BAC
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: 0e1dd68ac149754e2fafb2368102e49723462fdbf75ad8e05d5759696c1b91eb
            • Instruction ID: 52f85d73e484a2371b1a10b5a240651cf68e60ae355859dda7d69115649678e1
            • Opcode Fuzzy Hash: 0e1dd68ac149754e2fafb2368102e49723462fdbf75ad8e05d5759696c1b91eb
            • Instruction Fuzzy Hash: E74116353057029FC724DE69CC41B6AB7E9EF88710F040A2DF95ADB290E730E405CB91
            Function 0396B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 039A728C
            Strings
            • RTL: Resource at %p, xrefs: 039A72A3
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 039A7294
            • RTL: Re-Waiting, xrefs: 039A72C1
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: 3643c1f394d866f6202ff5cf772e7f8fc66953a292d0f8387ea692eeb32dad8b
            • Instruction ID: 9bc240f42d6b3a5ee19363d75672e557ed140a56f239e237053d77f525b96510
            • Opcode Fuzzy Hash: 3643c1f394d866f6202ff5cf772e7f8fc66953a292d0f8387ea692eeb32dad8b
            • Instruction Fuzzy Hash: 2F41F235701606ABC720DEA9CC42B6AB7A9FF84754F140A29FD55EB280EB30F812C7D1
            Function 03977D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction ID: 9ec955086aede08b46768d9a3cb16ca4043844b9c03c99d78c70502aa6fe6090
            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
            • Instruction Fuzzy Hash: 7191C671E002169BDF24DFA9C985BBEB7B9FF847A0F18451AE865E72D0E7308941CB50
            Function 03939126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: 40ee7dc02726ba163a5cf2946591175969a9030b2670138fb4dce09f95ea7023
            • Instruction ID: 4369b38c66408d7a40f8909e0c3d261cdf8ec470ff623c9c4d3e29d8b47c0e19
            • Opcode Fuzzy Hash: 40ee7dc02726ba163a5cf2946591175969a9030b2670138fb4dce09f95ea7023
            • Instruction Fuzzy Hash: AF813BB6D002699BDB31DF94CC44BEEB7B8AB48750F0445DAE909B7280D7709E81CFA0
            Function 039BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
            Download Yara Rule
            APIs
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 039BCFBD
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.1561978157.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_8_2_3900000_svchost.jbxd
            Similarity
            • API ID: CallFilterFunc@8
            • String ID: @$@4rw@4rw
            • API String ID: 4062629308-2979693914
            • Opcode ID: 6b203771ee64b4b840f5a258526aedd508e1296ccd61582d815ad7f0aa0c83cf
            • Instruction ID: dc15417f38e9333896ff51a3937018f4fc593c63ec6b57ee081fd2f6d438a63d
            • Opcode Fuzzy Hash: 6b203771ee64b4b840f5a258526aedd508e1296ccd61582d815ad7f0aa0c83cf
            • Instruction Fuzzy Hash: 5F41A379900324EFCB21DFA9D980AADBBB8FF95704F04446AE915DF254D774D801CB61