Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DRAFT.exe

Overview

General Information

Sample name:DRAFT.exe
Analysis ID:1523184
MD5:9400d0d008f7333528ee573d03efb057
SHA1:737f8e29daf5873fe7024a4c0ac7bcc2b17347be
SHA256:9721ce3f920fb4e3410b28d98077ca621a2a79e8a1e41ee0673533fb20e3dc43
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DRAFT.exe (PID: 2828 cmdline: "C:\Users\user\Desktop\DRAFT.exe" MD5: 9400D0D008F7333528EE573D03EFB057)
    • svchost.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\DRAFT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1402f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ee63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x170e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x162e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ee63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x170e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DRAFT.exe", CommandLine: "C:\Users\user\Desktop\DRAFT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT.exe", ParentImage: C:\Users\user\Desktop\DRAFT.exe, ParentProcessId: 2828, ParentProcessName: DRAFT.exe, ProcessCommandLine: "C:\Users\user\Desktop\DRAFT.exe", ProcessId: 6776, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DRAFT.exe", CommandLine: "C:\Users\user\Desktop\DRAFT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT.exe", ParentImage: C:\Users\user\Desktop\DRAFT.exe, ParentProcessId: 2828, ParentProcessName: DRAFT.exe, ProcessCommandLine: "C:\Users\user\Desktop\DRAFT.exe", ProcessId: 6776, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: DRAFT.exeReversingLabs: Detection: 39%
          Source: DRAFT.exeVirustotal: Detection: 31%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: DRAFT.exeJoe Sandbox ML: detected
          Source: DRAFT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.2474886201.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2444950668.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2443168888.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.2474886201.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2444950668.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2443168888.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C163 NtClose,2_2_0042C163
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B60 NtClose,LdrInitializeThunk,2_2_03C72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03C72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,2_2_03C735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74340 NtSetContextThread,2_2_03C74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74650 NtSuspendThread,2_2_03C74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BE0 NtQueryValueKey,2_2_03C72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BF0 NtAllocateVirtualMemory,2_2_03C72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B80 NtQueryInformationFile,2_2_03C72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BA0 NtEnumerateValueKey,2_2_03C72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AD0 NtReadFile,2_2_03C72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AF0 NtWriteFile,2_2_03C72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AB0 NtWaitForSingleObject,2_2_03C72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FE0 NtCreateFile,2_2_03C72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F90 NtProtectVirtualMemory,2_2_03C72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FA0 NtQuerySection,2_2_03C72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FB0 NtResumeThread,2_2_03C72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F60 NtCreateProcessEx,2_2_03C72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F30 NtCreateSection,2_2_03C72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EE0 NtQueueApcThread,2_2_03C72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E80 NtReadVirtualMemory,2_2_03C72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EA0 NtAdjustPrivilegesToken,2_2_03C72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E30 NtWriteVirtualMemory,2_2_03C72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DD0 NtDelayExecution,2_2_03C72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DB0 NtEnumerateKey,2_2_03C72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D00 NtSetInformationFile,2_2_03C72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D10 NtMapViewOfSection,2_2_03C72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D30 NtUnmapViewOfSection,2_2_03C72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CC0 NtQueryVirtualMemory,2_2_03C72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CF0 NtOpenProcess,2_2_03C72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CA0 NtQueryInformationToken,2_2_03C72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C60 NtCreateKey,2_2_03C72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C70 NtFreeVirtualMemory,2_2_03C72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C00 NtQueryInformationProcess,2_2_03C72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73090 NtSetValueKey,2_2_03C73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73010 NtOpenDirectoryObject,2_2_03C73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C739B0 NtGetContextThread,2_2_03C739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D70 NtOpenThread,2_2_03C73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D10 NtOpenProcessToken,2_2_03C73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040166D2_2_0040166D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010D02_2_004010D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021502_2_00402150
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012402_2_00401240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FAF32_2_0040FAF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023502_2_00402350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041644E2_2_0041644E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004164532_2_00416453
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041640C2_2_0041640C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD132_2_0040FD13
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DD932_2_0040DD93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E302_2_00402E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E7532_2_0042E753
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F02_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D003E62_2_03D003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA3522_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC02C02_2_03CC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE02742_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF81CC2_2_03CF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D001AA2_2_03D001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC81582_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C301002_2_03C30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA1182_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD20002_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C02_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C647502_2_03C64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C407702_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C6E02_2_03C5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D005912_2_03D00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C405352_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEE4F62_2_03CEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF24462_2_03CF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF6BD72_2_03CF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB402_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA802_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A02_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0A9A62_2_03D0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C569622_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E8F02_2_03C6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C268B82_2_03C268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4A8402_2_03C4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C428402_2_03C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC82_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE02_2_03C4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBEFA02_2_03CBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F402_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C82F282_2_03C82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60F302_2_03C60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEEDB2_2_03CFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52E902_2_03C52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFCE932_2_03CFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40E592_2_03C40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEE262_2_03CFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3ADE02_2_03C3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C58DBF2_2_03C58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4AD002_2_03C4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30CF22_2_03C30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0CB52_2_03CE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40C002_2_03C40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A2_2_03C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C2_2_03C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D2_2_03CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C02_2_03C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED2_2_03CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A02_2_03C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B02_2_03C4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7516C2_2_03C7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F1722_2_03C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B16B2_2_03D0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF0CC2_2_03CEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C02_2_03C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF70E92_2_03CF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF0E02_2_03CFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF7B02_2_03CFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC2_2_03CF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDD5B02_2_03CDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF75712_2_03CF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C314602_2_03C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF43F2_2_03CFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB5BF02_2_03CB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7DBF92_2_03C7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FB802_2_03C5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFB762_2_03CFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEDAC62_2_03CEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDDAAC2_2_03CDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C85AA02_2_03C85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFA492_2_03CFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7A462_2_03CF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB3A6C2_2_03CB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C499502_2_03C49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B9502_2_03C5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD59102_2_03CD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C438E02_2_03C438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD8002_2_03CAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41F922_2_03C41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFFB12_2_03CFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFF092_2_03CFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C49EB02_2_03C49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FDC02_2_03C5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43D402_2_03C43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF1D5A2_2_03CF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7D732_2_03CF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFCF22_2_03CFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB9C322_2_03CB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 56 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 275 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 100 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
          Source: DRAFT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: DRAFT.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9933401031783681
          Source: classification engineClassification label: mal84.troj.evad.winEXE@3/1@1/0
          Source: C:\Users\user\Desktop\DRAFT.exeFile created: C:\Users\user\AppData\Local\Temp\incalculableJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: DRAFT.exeReversingLabs: Detection: 39%
          Source: DRAFT.exeVirustotal: Detection: 31%
          Source: C:\Users\user\Desktop\DRAFT.exeFile read: C:\Users\user\Desktop\DRAFT.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DRAFT.exe "C:\Users\user\Desktop\DRAFT.exe"
          Source: C:\Users\user\Desktop\DRAFT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DRAFT.exe"
          Source: C:\Users\user\Desktop\DRAFT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DRAFT.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: DRAFT.exeStatic file information: File size 1056183 > 1048576
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.2474886201.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2444950668.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2443168888.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.2474886201.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2444950668.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2443168888.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E8D7 push cs; iretd 2_2_0041E8D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F0A3 push ss; retf 2_2_0041F0BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030B0 push eax; ret 2_2_004030B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423242 push edi; iretd 2_2_0042324E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423243 push edi; iretd 2_2_0042324E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D22E push ebx; iretd 2_2_0040D22F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042323D push edi; iretd 2_2_0042324E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415B93 push ds; retn AABCh2_2_00415C2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CC49 push ebp; retf 2_2_0040CCDD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CCCD push ebp; retf 2_2_0040CCDD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004134D3 push cs; iretd 2_2_00413550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D73 pushfd ; retf 2_2_00413D8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004246C2 push D311BF88h; retf 2_2_004246C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411715 push eax; iretd 2_2_00411716
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx2_2_03C309B6
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\DRAFT.exeAPI/Special instruction interceptor: Address: 426C28C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6788Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417403 LdrLoadDll,2_2_00417403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]2_2_03CEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]2_2_03CB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]2_2_03C663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]2_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]2_2_03CD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]2_2_03C2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]2_2_03C50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]2_2_03C402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]2_2_03C402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]2_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]2_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]2_2_03C2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]2_2_03C36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]2_2_03C2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]2_2_03C2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]2_2_03D061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]2_2_03C601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]2_2_03C70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]2_2_03C2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]2_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]2_2_03CF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]2_2_03C60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]2_2_03CB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03C2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]2_2_03C380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]2_2_03CB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03C2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]2_2_03C720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]2_2_03C3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]2_2_03CC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]2_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]2_2_03C32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]2_2_03CB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]2_2_03C5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]2_2_03CB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]2_2_03C2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]2_2_03C2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]2_2_03CC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]2_2_03CB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03CBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]2_2_03CD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]2_2_03C307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]2_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]2_2_03C30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]2_2_03CBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]2_2_03CB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]2_2_03C38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]2_2_03C6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]2_2_03C30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]2_2_03C60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]2_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]2_2_03CAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03C6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]2_2_03C666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]2_2_03C4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]2_2_03C62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]2_2_03CAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]2_2_03C72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]2_2_03C4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]2_2_03C66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]2_2_03C68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]2_2_03C3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]2_2_03C365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]2_2_03C325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]2_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]2_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]2_2_03C64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]2_2_03C6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]2_2_03CC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]2_2_03C304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]2_2_03C364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]2_2_03C644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03CBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]2_2_03C2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]2_2_03C5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]2_2_03CBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]2_2_03C2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]2_2_03C6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03CDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]2_2_03C5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03CBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]2_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]2_2_03CD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]2_2_03C2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]2_2_03C30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]2_2_03D04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]2_2_03C68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]2_2_03C86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]2_2_03CBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]2_2_03C6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]2_2_03C5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]2_2_03C6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]2_2_03CC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]2_2_03C649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03CFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03CBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]2_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]2_2_03CB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]2_2_03CBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]2_2_03CBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]2_2_03CB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]2_2_03CC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03C5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03CFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]2_2_03C30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]2_2_03CBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]2_2_03C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]2_2_03C60854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]2_2_03CC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]2_2_03CC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC810 mov eax, dword ptr fs:[00000030h]2_2_03CBC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]2_2_03C52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]2_2_03C52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]2_2_03C52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52835 mov ecx, dword ptr fs:[00000030h]2_2_03C52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]2_2_03C52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]2_2_03C52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A830 mov eax, dword ptr fs:[00000030h]2_2_03C6A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]2_2_03CD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]2_2_03CD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]2_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]2_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]2_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]2_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03C2EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03C2EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03C2EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03C4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03C4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70FF6 mov eax, dword ptr fs:[00000030h]2_2_03C70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70FF6 mov eax, dword ptr fs:[00000030h]2_2_03C70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70FF6 mov eax, dword ptr fs:[00000030h]2_2_03C70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70FF6 mov eax, dword ptr fs:[00000030h]2_2_03C70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04FE7 mov eax, dword ptr fs:[00000030h]2_2_03D04FE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE6FF7 mov eax, dword ptr fs:[00000030h]2_2_03CE6FF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CF80 mov eax, dword ptr fs:[00000030h]2_2_03C6CF80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62F98 mov eax, dword ptr fs:[00000030h]2_2_03C62F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62F98 mov eax, dword ptr fs:[00000030h]2_2_03C62F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F40 mov eax, dword ptr fs:[00000030h]2_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F40 mov eax, dword ptr fs:[00000030h]2_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F40 mov eax, dword ptr fs:[00000030h]2_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F40 mov eax, dword ptr fs:[00000030h]2_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4F42 mov eax, dword ptr fs:[00000030h]2_2_03CD4F42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CF50 mov eax, dword ptr fs:[00000030h]2_2_03C2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CF50 mov eax, dword ptr fs:[00000030h]2_2_03C2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CF50 mov eax, dword ptr fs:[00000030h]2_2_03C2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CF50 mov eax, dword ptr fs:[00000030h]2_2_03C2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CF50 mov eax, dword ptr fs:[00000030h]2_2_03C2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CF50 mov eax, dword ptr fs:[00000030h]2_2_03C2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CF50 mov eax, dword ptr fs:[00000030h]2_2_03C6CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD0F50 mov eax, dword ptr fs:[00000030h]2_2_03CD0F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5AF69 mov eax, dword ptr fs:[00000030h]2_2_03C5AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5AF69 mov eax, dword ptr fs:[00000030h]2_2_03C5AF69

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\DRAFT.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\DRAFT.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 308C008Jump to behavior
          Source: C:\Users\user\Desktop\DRAFT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DRAFT.exe"Jump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		211
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		211
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
          Obfuscated Files or Information          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Software Packing          		LSA Secrets11
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DRAFT.exe39%ReversingLabsWin32.Trojan.Autoitinject
          DRAFT.exe32%VirustotalBrowse
          DRAFT.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          15.164.165.52.in-addr.arpa0%VirustotalBrowse

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          15.164.165.52.in-addr.arpa
          		unknown
          		unknowntrueunknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1523184
          Start date and time:2024-10-01 08:50:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 14s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:DRAFT.exe
          Detection:MAL
          Classification:mal84.troj.evad.winEXE@3/1@1/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 11
          • Number of non-executed functions: 330
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          02:51:39API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\incalculable

          Download File
          Process:C:\Users\user\Desktop\DRAFT.exe
          File Type:data
          Category:dropped
          Size (bytes):286720
          Entropy (8bit):7.9948656649539975
          Encrypted:true
          SSDEEP:6144:v7/FHWvazAzu+7eXPYmvOhSyyu60RAKyLPByHd7upooCmdA:zEzyfYfhvlANPhpopmC
          MD5:27742816ABCC8DAC7C4D9B029F3C77A0
          SHA1:3FA82032CE66463A33F616AC9F158F1F39C8CAC4
          SHA-256:64BC894759BBB7C9CD7EE0EC20BD055B045F1D479D8A6B21253B8CE5A90CBE44
          SHA-512:53A1A53918A160BFA1513C231ECC260E7502579734463D106B99CA1F217FAAAD60757F20C99FF85A4DD943E64932E819166E4D4768274CA9F3EDE51A31EB8143
          Malicious:false
          Reputation:low
          Preview:.k.f.5GUKk.9...u.T0...W8...R1D445GUK3RZ08FRDIAT34XL5T0AED.1D4:*.[K.[...G..h.<ZGx<G;W3$)rR%ZZZ3u)Vr(EVf;*i..`.5#Q1.LHNv1D445GU22[..X!.y)&..T?./..$5.^...{5,.H...z2#..=P\e,R.0AEDR1D4dpGU.2SZs*N.DIAT34XL.T2@NEY1Dz05GUK3RZ08fGDIAD34X,1T0A.DR!D447GUM3RZ08FRBIAT34XL544AEFR1D445EU..RZ 8FBDIAT#4X\5T0AEDB1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ.L#*0IAT.x\L5D0AE.V1D$45GUK3RZ08FRDIaT3TXL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3RZ08FRDIAT34XL5T0AEDR1D445GUK3

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
          Entropy (8bit):7.981050080149409
          TrID:
          • Win32 Executable (generic) a (10002005/4) 94.59%
          • AutoIt3 compiled script executable (510682/80) 4.83%
          • UPX compressed Win32 Executable (30571/9) 0.29%
          • Win32 EXE Yoda's Crypter (26571/9) 0.25%
          • Generic Win/DOS Executable (2004/3) 0.02%
          File name:DRAFT.exe
          File size:1'056'183 bytes
          MD5:9400d0d008f7333528ee573d03efb057
          SHA1:737f8e29daf5873fe7024a4c0ac7bcc2b17347be
          SHA256:9721ce3f920fb4e3410b28d98077ca621a2a79e8a1e41ee0673533fb20e3dc43
          SHA512:31115c5be81a0486f4e37d2183f5aac216fe83a644e0869143e55182d58889ca9e17db504bedf8fcc8e6482862d99cee02dd278bee28ae5dbaa558c1695544a0
          SSDEEP:24576:VD0tM85tbNJjldeYiYrAWOJUDyj88u0owQyfRrxWb:VD0tM85DJjl/ieTDyj8KolyfRtWb
          TLSH:41253302F365E09AD5F98B35BDB7398512A2693D9F32D30212B01BCFAC7870EBE25145
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

          File Icon

          Icon Hash:1733312925935517

          Static PE Info

          General

          Entrypoint:0x4b8b90
          Entrypoint Section:UPX1
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:77b2e5e9b52fbef7638f64ab65f0c58c

          Entrypoint Preview

          Instruction
          pushad
          mov esi, 00477000h
          lea edi, dword ptr [esi-00076000h]
          push edi
          jmp 00007FB4DD02CADDh
          nop
          mov al, byte ptr [esi]
          inc esi
          mov byte ptr [edi], al
          inc edi
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FB4DD02CABFh
          mov eax, 00000001h
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc eax, eax
          add ebx, ebx
          jnc 00007FB4DD02CADDh
          jne 00007FB4DD02CAFAh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FB4DD02CAF1h
          dec eax
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc eax, eax
          jmp 00007FB4DD02CAA6h
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          jmp 00007FB4DD02CB24h
          xor ecx, ecx
          sub eax, 03h
          jc 00007FB4DD02CAE3h
          shl eax, 08h
          mov al, byte ptr [esi]
          inc esi
          xor eax, FFFFFFFFh
          je 00007FB4DD02CB47h
          sar eax, 1
          mov ebp, eax
          jmp 00007FB4DD02CADDh
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FB4DD02CA9Eh
          inc ecx
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007FB4DD02CA90h
          add ebx, ebx
          jne 00007FB4DD02CAD9h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          add ebx, ebx
          jnc 00007FB4DD02CAC1h
          jne 00007FB4DD02CADBh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jnc 00007FB4DD02CAB6h
          add ecx, 02h
          cmp ebp, FFFFFB00h
          adc ecx, 02h
          lea edx, dword ptr [edi+ebp]
          cmp ebp, FFFFFFFCh
          jbe 00007FB4DD02CAE0h
          mov al, byte ptr [edx]

          Rich Headers

          Programming Language:
          • [ASM] VS2008 SP1 build 30729
          • [ C ] VS2008 SP1 build 30729
          • [C++] VS2008 SP1 build 30729
          • [ C ] VS2005 build 50727
          • [IMP] VS2005 build 50727
          • [ASM] VS2008 build 21022
          • [RES] VS2008 build 21022
          • [LNK] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc00380x3b0.rsrc
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb90000x7038.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          UPX00x10000x760000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          UPX10x770000x420000x41e00f914a8d655ae07ad6878d428980d492eFalse0.9933401031783681data7.929619295565276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xb90000x80000x7400375506aad8714493f389985f5be0ee28False0.5646214978448276data5.905766661808417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xb95cc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xb96f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xb98240x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xb99500x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
          RT_ICON0xb9fbc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
          RT_ICON0xba2a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
          RT_ICON0xba3d40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
          RT_ICON0xbb2800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
          RT_ICON0xbbb2c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
          RT_ICON0xbc0980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
          RT_ICON0xbe6440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
          RT_ICON0xbf6f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
          RT_MENU0xb1b280x50dataEnglishGreat Britain1.1375
          RT_DIALOG0xb1b780xfcdataEnglishGreat Britain1.0436507936507937
          RT_STRING0xb1c780x530dataEnglishGreat Britain1.0082831325301205
          RT_STRING0xb21a80x690dataEnglishGreat Britain1.006547619047619
          RT_STRING0xb28380x43adataEnglishGreat Britain1.010166358595194
          RT_STRING0xb2c780x5fcdataEnglishGreat Britain1.0071801566579635
          RT_STRING0xb32780x65cdataEnglishGreat Britain1.0067567567567568
          RT_STRING0xb38d80x388dataEnglishGreat Britain1.0121681415929205
          RT_STRING0xb3c600x158dataEnglishUnited States1.0319767441860466
          RT_GROUP_ICON0xbfb5c0x84dataEnglishGreat Britain0.6439393939393939
          RT_GROUP_ICON0xbfbe40x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0xbfbfc0x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0xbfc140x14dataEnglishGreat Britain1.25
          RT_VERSION0xbfc2c0x19cdataEnglishGreat Britain0.5339805825242718
          RT_MANIFEST0xbfdcc0x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

          Imports

          DLLImport
          KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
          ADVAPI32.dllGetAce
          COMCTL32.dllImageList_Remove
          COMDLG32.dllGetSaveFileNameW
          GDI32.dllLineTo
          MPR.dllWNetGetConnectionW
          ole32.dllCoInitialize
          OLEAUT32.dllSafeArrayUnaccessData
          PSAPI.DLLEnumProcesses
          SHELL32.dllDragFinish
          USER32.dllGetDC
          USERENV.dllLoadUserProfileW
          VERSION.dllVerQueryValueW
          WININET.dllFtpOpenFileW
          WINMM.dlltimeGetTime
          WSOCK32.dllrecv

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 1, 2024 08:51:31.586997986 CEST5364472162.159.36.2192.168.2.5
          Oct 1, 2024 08:51:32.209434032 CEST5451153192.168.2.51.1.1.1
          Oct 1, 2024 08:51:32.216835976 CEST53545111.1.1.1192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 1, 2024 08:51:32.209434032 CEST192.168.2.51.1.1.10x7d6fStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 1, 2024 08:51:32.216835976 CEST1.1.1.1192.168.2.50x7d6fName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:02:50:56
          Start date:01/10/2024
          Path:C:\Users\user\Desktop\DRAFT.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\DRAFT.exe"
          Imagebase:0x400000
          File size:1'056'183 bytes
          MD5 hash:9400D0D008F7333528EE573D03EFB057
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:02:51:02
          Start date:01/10/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\DRAFT.exe"
          Imagebase:0xbf0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2474859380.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.8%
            Dynamic/Decrypted Code Coverage:5.1%
            Signature Coverage:5.1%
            Total number of Nodes:117
            Total number of Limit Nodes:12
            execution_graph 87901 4248c3 87902 4248dc 87901->87902 87903 424924 87902->87903 87906 424964 87902->87906 87908 424969 87902->87908 87909 42e1f3 87903->87909 87907 42e1f3 RtlFreeHeap 87906->87907 87907->87908 87912 42c4d3 87909->87912 87911 424931 87913 42c4f0 87912->87913 87914 42c501 RtlFreeHeap 87913->87914 87914->87911 87915 42b763 87916 42b780 87915->87916 87919 3c72df0 LdrInitializeThunk 87916->87919 87917 42b7a8 87919->87917 87929 42e2d3 87932 42c483 87929->87932 87931 42e2ee 87933 42c49d 87932->87933 87934 42c4ae RtlAllocateHeap 87933->87934 87934->87931 87935 42f413 87936 42e1f3 RtlFreeHeap 87935->87936 87937 42f428 87936->87937 87938 42f793 87940 42f7b9 87938->87940 87939 42f80b 87940->87939 87943 429673 87940->87943 87942 42f860 87944 4296d1 87943->87944 87946 4296e5 87944->87946 87947 417483 87944->87947 87946->87942 87950 417464 87947->87950 87948 41746a LdrLoadDll 87949 41747a 87948->87949 87949->87946 87950->87948 87951 41742b 87950->87951 87951->87946 87952 4138b3 87956 4138d3 87952->87956 87954 41393c 87955 413932 87956->87954 87957 41b033 RtlFreeHeap LdrInitializeThunk 87956->87957 87957->87955 87958 4245f6 87959 42453a 87958->87959 87960 424607 87958->87960 87961 42459d 87959->87961 87962 424577 87959->87962 87963 42458b 87959->87963 87960->87960 87964 42c163 NtClose 87962->87964 87965 42c163 NtClose 87963->87965 87966 424580 87964->87966 87967 424594 87965->87967 87969 42e313 RtlAllocateHeap 87967->87969 87969->87961 87970 401956 87971 40195a 87970->87971 87974 42f883 87971->87974 87977 42ddb3 87974->87977 87978 42ddd9 87977->87978 87987 4071d3 87978->87987 87980 42ddef 87986 401aca 87980->87986 87990 41ad23 87980->87990 87982 42de0e 87983 42c523 ExitProcess 87982->87983 87984 42de23 87982->87984 87983->87984 88001 42c523 87984->88001 87989 4071e0 87987->87989 88004 4160d3 87987->88004 87989->87980 87991 41ad4f 87990->87991 88022 41ac13 87991->88022 87994 41ad94 87996 41adb0 87994->87996 87999 42c163 NtClose 87994->87999 87995 41ad7c 87997 41ad87 87995->87997 87998 42c163 NtClose 87995->87998 87996->87982 87997->87982 87998->87997 88000 41ada6 87999->88000 88000->87982 88002 42c53d 88001->88002 88003 42c54e ExitProcess 88002->88003 88003->87986 88005 4160ed 88004->88005 88007 416106 88005->88007 88008 42cbb3 88005->88008 88007->87989 88010 42cbcd 88008->88010 88009 42cbfc 88009->88007 88010->88009 88015 42b7b3 88010->88015 88013 42e1f3 RtlFreeHeap 88014 42cc72 88013->88014 88014->88007 88016 42b7cd 88015->88016 88019 3c72c0a 88016->88019 88017 42b7f9 88017->88013 88020 3c72c1f LdrInitializeThunk 88019->88020 88021 3c72c11 88019->88021 88020->88017 88021->88017 88023 41ad09 88022->88023 88024 41ac2d 88022->88024 88023->87994 88023->87995 88028 42b853 88024->88028 88027 42c163 NtClose 88027->88023 88029 42b86d 88028->88029 88032 3c735c0 LdrInitializeThunk 88029->88032 88030 41acfd 88030->88027 88032->88030 87920 3c72b60 LdrInitializeThunk 88033 42407b 88037 424015 88033->88037 88034 424027 88035 424103 88038 42c163 NtClose 88035->88038 88036 424118 88039 42c163 NtClose 88036->88039 88037->88033 88037->88034 88037->88035 88037->88036 88040 42410c 88038->88040 88042 424121 88039->88042 88041 424158 88042->88041 88043 42e1f3 RtlFreeHeap 88042->88043 88044 42414c 88043->88044 87921 42484c 87922 424852 87921->87922 87925 424857 87922->87925 87926 42c163 87922->87926 87924 42487c 87927 42c180 87926->87927 87928 42c191 NtClose 87927->87928 87928->87924

            Executed Functions

            Function 0040166D Relevance: 1.6, Strings: 1, Instructions: 375COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 30 40166d-401672 31 401674-4016d2 30->31 32 4016ed-4016f2 30->32 44 4016d7-4016d8 31->44 33 40173e-40174e 32->33 34 401750-4017c7 33->34 35 401738 33->35 50 4017c9 34->50 51 4017ca-4017d3 34->51 37 4016f3-4016f6 35->37 38 40173a-40173c 35->38 39 4016f7-401728 37->39 38->33 39->35 44->44 46 4016d9-4016da 44->46 46->39 47 4016dc-4016e9 46->47 47->32 50->51 53 4017d5-4017d8 51->53 54 401832 53->54 55 4017da-4017eb 53->55 56 401834-401841 54->56 57 40181e-401820 54->57 55->53 64 4017ed-4017fa 55->64 58 401821 57->58 59 401887-40189c 57->59 61 401822 58->61 62 40181d 58->62 65 40189e-4018b0 59->65 66 4018cf-4018d5 59->66 61->62 69 401824-40182f 61->69 62->57 72 4017fc-401817 64->72 67 4018e2-4018fe 65->67 68 4018b2-4018c9 65->68 66->67 76 4018ff-401947 67->76 68->66 69->54 77 401819-40181c 72->77 80 401949-401950 76->80 81 40199a-40199c 76->81 77->62 80->76 84 401952-401953 80->84 82 40195a 81->82 83 40199e 81->83 86 40195b-40195d 82->86 85 4019a0-4019cf call 4010d0 83->85 84->82 93 4019d2-4019e7 85->93 87 401962-401963 86->87 87->87 89 401964-401965 87->89 91 401982-401983 89->91 92 401967-401973 89->92 91->85 95 401985-401994 91->95 92->86 94 401975-40197f 92->94 93->93 96 4019e9-401a1c call 401bc0 93->96 94->91 95->81 99 401a21-401a27 96->99 99->99 100 401a29-401a2e 99->100 101 401a30-401a41 100->101 101->101 102 401a43-401a69 call 401000 101->102 105 401a70-401a76 102->105 105->105 106 401a78-401a7a 105->106 107 401a80-401aa1 106->107 108 401aa3 107->108 109 401aa4-401aaa 107->109 108->109 109->107 110 401aac-401abb 109->110 111 401ac0-401ac6 110->111 111->111 112 401ac8 call 42f883 111->112 113 401aca-401ad2 112->113
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: /
            • API String ID: 0-2043925204
            • Opcode ID: 5cd5149381035005651093888467e02b4110d8c158de91931d224e8c95bce8cf
            • Instruction ID: 3c87f9f4752d02a45dd3a409c59769eb26db4f5e8e69c20cd065f0e0e8c794a2
            • Opcode Fuzzy Hash: 5cd5149381035005651093888467e02b4110d8c158de91931d224e8c95bce8cf
            • Instruction Fuzzy Hash: 58C1BC3AA043858FDB069F36889139D7B61EF52720F4843FFD4949B6F2D63A4949CB81
            Function 00417403 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 130 417403-41741f 131 417427-41742c 130->131 132 417422 call 42eef3 130->132 133 417432-417440 call 42f4f3 131->133 134 41742e-417431 131->134 132->131 137 417450-417461 call 42d883 133->137 138 417442-41744d call 42f793 133->138 143 417463-417469 137->143 144 41747a-41747d 137->144 138->137 145 41746a-417477 LdrLoadDll 143->145 145->144
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417475
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: a973a7c1cd62e3490106768b82ed4956d6d908cfb5d9dad9f16d71023dce8160
            • Instruction ID: b05df437781610848b7068c344924202f79ac1d507f689b657c9eeaa8e82a95c
            • Opcode Fuzzy Hash: a973a7c1cd62e3490106768b82ed4956d6d908cfb5d9dad9f16d71023dce8160
            • Instruction Fuzzy Hash: 0A0175B5E0010DA7DF10DBE5DC42FDEB778AB54308F4041A6E90897240F674EB488B95
            Function 0042C163 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 151 42c163-42c19f call 404553 call 42d393 NtClose
            APIs
            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C19A
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 077c274198fd2d201dfafb0b9f6568a1f5d18b5ba5e0ea9cb351da1e53aaa0a2
            • Instruction ID: 2783417134dfb0b0a8c2fc83e319347d9a6bb114835c9ece34b2f0bd13c71676
            • Opcode Fuzzy Hash: 077c274198fd2d201dfafb0b9f6568a1f5d18b5ba5e0ea9cb351da1e53aaa0a2
            • Instruction Fuzzy Hash: 34E04F752402147BD510EA5ADC41FDB775DDBC5754F40441AFA486B146CA70BA0186B5
            Function 03C72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 165 3c72b60-3c72b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 177a777725175a310be796602bea5ce4e703806b62e828f0dd9dbdf77bb4c699
            • Instruction ID: a7d954574f12c2a64cadd64d7e6835217944f3637fb12dd8db4a44f45c985589
            • Opcode Fuzzy Hash: 177a777725175a310be796602bea5ce4e703806b62e828f0dd9dbdf77bb4c699
            • Instruction Fuzzy Hash: B09002A1202504034106B2584454696400B87E0705B96C021E101C5D4DC6258A916125
            Function 03C72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 166 3c72df0-3c72dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: a8962f70cba8c53e356e32ee86b3fe82e696817c8a9c7b6f7a4d94c0892e40e6
            • Instruction ID: 4f6675d3e3273099332e0c4ed8d15174d0278e718619d66f0ff73dc14f53d2cb
            • Opcode Fuzzy Hash: a8962f70cba8c53e356e32ee86b3fe82e696817c8a9c7b6f7a4d94c0892e40e6
            • Instruction Fuzzy Hash: 4590027120150813D112B2584544787000A87D0745FD6C412A042C59CD97568B52A121
            Function 03C735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 167 3c735c0-3c735cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 5bca34654696f2cbbf3747880e1d8e7bff62dc23291a9053aa2bdc52fdc656fb
            • Instruction ID: f1b3a564e57d8db6d791bfe30329b27628126f33dd2ff5f3408a1d0e42f20d15
            • Opcode Fuzzy Hash: 5bca34654696f2cbbf3747880e1d8e7bff62dc23291a9053aa2bdc52fdc656fb
            • Instruction Fuzzy Hash: 7D90027160560802D101B2584554786100687D0705FA6C411A042C5ACD87958B5165A2
            Function 0042C4D3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 42c4d3-42c517 call 404553 call 42d393 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C512
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID: XaA
            • API String ID: 3298025750-3771960826
            • Opcode ID: cba86bd141b8e3495d01db1a3f8b2992ede2c1e7d20d58e02a40252be89b45e6
            • Instruction ID: e952e451711bd04c2b92b5fd24bcfc973564a37cfe645aec8d1021d10763d40f
            • Opcode Fuzzy Hash: cba86bd141b8e3495d01db1a3f8b2992ede2c1e7d20d58e02a40252be89b45e6
            • Instruction Fuzzy Hash: 0FE092B26002047FDA10EE59DC41FEB33ACEFC5714F004419FE08A7242C670B9108BB9
            Function 00417483 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 115 417483-417484 116 417486-41749d 115->116 116->116 117 41749f-4174a1 116->117 118 4174a3-4174b5 117->118 119 41742b-417431 117->119 121 4174b7-4174c0 118->121 122 41746a-417477 LdrLoadDll 118->122 125 4174c2-4174d2 121->125 123 41747a-41747d 122->123 126 417464-417465 125->126 127 4174d4-4174dd 125->127 126->122 128 4174bb-4174c0 127->128 129 4174df-4174e0 127->129 128->125
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ef1416f1c565804daaefeeb2083156b5e6313198be0169012b900b9d8574cbe4
            • Instruction ID: bbc544ecd237663c9b46e0bf290c106982462a50d3e3d4b5518301b360365a4b
            • Opcode Fuzzy Hash: ef1416f1c565804daaefeeb2083156b5e6313198be0169012b900b9d8574cbe4
            • Instruction Fuzzy Hash: 6B11AF3580C24966DB11D768AC85EDBFF75EF03B60F44CBC7E4641B1C7E6246880C2A6
            Function 0042C483 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 146 42c483-42c4c4 call 404553 call 42d393 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0041E1AE,?,?,00000000,?,0041E1AE,?,?,?), ref: 0042C4BF
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 0ea7cd6dd6513360e8143eeded3e0b9c7205b46d449492900bbcdfe4eae3c0ad
            • Instruction ID: 989d0a99da9af1e044aab174df9eeb6d940b21b5d5ee427c76e5279471a0b7db
            • Opcode Fuzzy Hash: 0ea7cd6dd6513360e8143eeded3e0b9c7205b46d449492900bbcdfe4eae3c0ad
            • Instruction Fuzzy Hash: 27E06DB12002187BDA10EE59EC41FDB37ACDFC9710F004419FE48A7242C670B95186B8
            Function 0042C523 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 156 42c523-42c55c call 404553 call 42d393 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 8358bad6220cd63566d2eb78cca3930b160741044abcf7567aa7caaa1b0abd9a
            • Instruction ID: e6536256e9a3072f490c990f394c40ca135fe74a43982929094cc4c538f535b2
            • Opcode Fuzzy Hash: 8358bad6220cd63566d2eb78cca3930b160741044abcf7567aa7caaa1b0abd9a
            • Instruction Fuzzy Hash: 98E046762002147BD620EA5ADC01FAB77ADDBC5724F40842AFB08A7246DA75BA1186A4
            Function 03C72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 161 3c72c0a-3c72c0f 162 3c72c11-3c72c18 161->162 163 3c72c1f-3c72c26 LdrInitializeThunk 161->163
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: a16fcdf74d2bc20d479bfc1b40779c81524d566da9a16b9921cb4237f4bbbc4d
            • Instruction ID: 84faa90233bd227a4f600780950a8624567ebc6a859d33608038aac95c8ba62c
            • Opcode Fuzzy Hash: a16fcdf74d2bc20d479bfc1b40779c81524d566da9a16b9921cb4237f4bbbc4d
            • Instruction Fuzzy Hash: 73B09BB19015C5C5EA11F7604608757790567D0745F5AC461D303C685E4739C2D1E175

            Non-executed Functions

            Function 03CB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: 288e1e2061f0e560c1dd85e3aa0938031b745a8c7eb562ba4d2397e9e79fb1f0
            • Instruction ID: aeea6575664b303b0d03bbeb9d9d32d519b3d40015c05f24726aacc197937762
            • Opcode Fuzzy Hash: 288e1e2061f0e560c1dd85e3aa0938031b745a8c7eb562ba4d2397e9e79fb1f0
            • Instruction Fuzzy Hash: E0928A75608381AFD720DE25C884BABB7F8BB88754F084D2DFA95DB250D770E944CB92
            Function 03C268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: f0b0b3b2124a67d30191e30d4c985eb85e128119bee2b4c3c945b5e594545fbc
            • Instruction ID: d588cd32f61ebcebc7f05e536a58118ac9464702c7f9479a09029d78cee04501
            • Opcode Fuzzy Hash: f0b0b3b2124a67d30191e30d4c985eb85e128119bee2b4c3c945b5e594545fbc
            • Instruction Fuzzy Hash: 878102B7D012186F8B61FBA9EDD4EEEB7BDAB15610B054421B910FB114E730EE149BA0
            Function 03CD5910 Relevance: 18.5, Strings: 14, Instructions: 963COMMON
            Download Yara Rule
            Strings
            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 03CD5FE1
            • @, xrefs: 03CD6277
            • Control Panel\Desktop, xrefs: 03CD615E
            • PreferredUILanguages, xrefs: 03CD63D1
            • @, xrefs: 03CD61B0
            • LanguageConfiguration, xrefs: 03CD6420
            • InstallLanguageFallback, xrefs: 03CD6050
            • @, xrefs: 03CD647A
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03CD635D
            • LanguageConfigurationPending, xrefs: 03CD6221
            • PreferredUILanguagesPending, xrefs: 03CD61D2
            • @, xrefs: 03CD6027
            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!, xrefs: 03CD5A84
            • @, xrefs: 03CD63A0
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!$@$@$@$@$@$Control Panel\Desktop$InstallLanguageFallback$LanguageConfiguration$LanguageConfigurationPending$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
            • API String ID: 0-1325123933
            • Opcode ID: 9e033594a66be9ffc225baa42ac3798627a5949d22867c142c6f4681937c0e3f
            • Instruction ID: f5132bc053d37fd14ad7d3a2536b26c8ed1a8a7d729f00fe6614e09df7f25744
            • Opcode Fuzzy Hash: 9e033594a66be9ffc225baa42ac3798627a5949d22867c142c6f4681937c0e3f
            • Instruction Fuzzy Hash: 517277755083419FD321DF29C880B6BB7E9FB89700F45492EFA89DB250EB34D945CB92
            Function 03C68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
            Download Yara Rule
            Strings
            • Critical section address, xrefs: 03CA5425, 03CA54BC, 03CA5534
            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03CA540A, 03CA5496, 03CA5519
            • Thread identifier, xrefs: 03CA553A
            • corrupted critical section, xrefs: 03CA54C2
            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03CA54E2
            • 8, xrefs: 03CA52E3
            • Address of the debug info found in the active list., xrefs: 03CA54AE, 03CA54FA
            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03CA54CE
            • Thread is in a state in which it cannot own a critical section, xrefs: 03CA5543
            • undeleted critical section in freed memory, xrefs: 03CA542B
            • Critical section debug info address, xrefs: 03CA541F, 03CA552E
            • Invalid debug info address of this critical section, xrefs: 03CA54B6
            • Critical section address., xrefs: 03CA5502
            • double initialized or corrupted critical section, xrefs: 03CA5508
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
            • API String ID: 0-2368682639
            • Opcode ID: 1612f316f5d6c5ca7b8da948fbab3d4a7a6b2d06a003f33d730e9fc0e128b216
            • Instruction ID: 456954ea4f0dd25a3cbfbfd52409b9d8384888699ab45794b852c49c2c047e6f
            • Opcode Fuzzy Hash: 1612f316f5d6c5ca7b8da948fbab3d4a7a6b2d06a003f33d730e9fc0e128b216
            • Instruction Fuzzy Hash: 5481D0B1A00759EFDB60CF99C844BAEBBB9FB0A704F548169F514FB241D371A940EB60
            Function 03C629F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
            Download Yara Rule
            Strings
            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 03CA2624
            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 03CA2498
            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 03CA22E4
            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 03CA24C0
            • @, xrefs: 03CA259B
            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 03CA25EB
            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 03CA2412
            • RtlpResolveAssemblyStorageMapEntry, xrefs: 03CA261F
            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 03CA2602
            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 03CA2506
            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 03CA2409
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
            • API String ID: 0-4009184096
            • Opcode ID: dd1aa58e8484ca5aaf127bf1b0afe1ef4b5be08a9106edbef430268a7867d1d0
            • Instruction ID: df5b00538f97762a64bc281538252719a35463852d0d6df5a656c879130d17b0
            • Opcode Fuzzy Hash: dd1aa58e8484ca5aaf127bf1b0afe1ef4b5be08a9106edbef430268a7867d1d0
            • Instruction Fuzzy Hash: 290271B5D006299FDB20DB14CC80BD9B7B8AF44304F0545EAEA49EB241DB31AF84DF59
            Function 03C60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: 64b5ff52d93c276132cabac26c0ae2b4e33db46889f9b67e54d234a6c3c567d8
            • Instruction ID: f0a406c1a77317f2a9fa110da154a49533f6ec074b94398c4abf49b7417cf60d
            • Opcode Fuzzy Hash: 64b5ff52d93c276132cabac26c0ae2b4e33db46889f9b67e54d234a6c3c567d8
            • Instruction Fuzzy Hash: 40629EB5E0062A8FDB24CF19C8817A9B7B6EF95324F5D82DAD449EB240D7325AD1CF40
            Function 03CD8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
            • API String ID: 0-2515994595
            • Opcode ID: 462ad5715687fae5a13a319882a7ff502109e5654b8e2182d6bce8473a988541
            • Instruction ID: 74c6731df92c682a666299a74db098079295ecaf5a363bb3b27793585ca8ea85
            • Opcode Fuzzy Hash: 462ad5715687fae5a13a319882a7ff502109e5654b8e2182d6bce8473a988541
            • Instruction Fuzzy Hash: A351B4B25043559BC329DF198884BABB7ECFFD4650F144A1EFA55CB284E770D604C792
            Function 03CE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: 559c681ff0a6db9ad874a2e583ca350f765f3cf5d0e85e41477cb1bd899656f3
            • Instruction ID: 9d7dce24789fb40ff977518bff5a74f094d714bea92837fdc4a33fbe62415a4c
            • Opcode Fuzzy Hash: 559c681ff0a6db9ad874a2e583ca350f765f3cf5d0e85e41477cb1bd899656f3
            • Instruction Fuzzy Hash: 1712C9756046829FC725DF29C440BBABBF5EF09704F0D8459E496CF682D738E9A0DB50
            Function 03C4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: 91b51e84e04cbc1c1f3161e6bbccb384ea242484c0d4018e4965aea5ab0109e8
            • Instruction ID: 0b0734e5c73153479c2bd55b09ad55b38121e054f148dc18df8cd6ed864b99f0
            • Opcode Fuzzy Hash: 91b51e84e04cbc1c1f3161e6bbccb384ea242484c0d4018e4965aea5ab0109e8
            • Instruction Fuzzy Hash: F512D0B5A083418FE724DF28C844BAAB7E4FF95704F09095AF985CF291E774DA44CB92
            Function 03C2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: 474648e7b9e6e471f576550b34da2389b892e15d7c7e8e36fc944c59ba8f6a52
            • Instruction ID: 0f740e15b3622867d23963a33acda5f9c426cec1905d1b5820c944a0b7c0678c
            • Opcode Fuzzy Hash: 474648e7b9e6e471f576550b34da2389b892e15d7c7e8e36fc944c59ba8f6a52
            • Instruction Fuzzy Hash: 1DB1BFB65083619FC711EF24C484B6BBBE8AF98744F054D2EF89ADB240D770DA44CB92
            Function 03CE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: a87246f26af38fe3f0541ec659cae006ac0a4ae8bdea3abd8373c415b5d9af29
            • Instruction ID: 3b88b63462c6dc64b6b04823535882c25e339b61c75c4c5f2c59a91c93b5650f
            • Opcode Fuzzy Hash: a87246f26af38fe3f0541ec659cae006ac0a4ae8bdea3abd8373c415b5d9af29
            • Instruction Fuzzy Hash: DBF11575A047A5EFCB25DF6AC441BAAFBF5FF09700F088069E481DB242C774AA45DB90
            Function 03CE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: 8d95b49c85618eb2b177c53d5fc1d0be8710e1ed0688fddcce46fed617a1230c
            • Instruction ID: 999f04eca14c49a2ca8f355fc30e75c9ec0dcfe12cbacca1a292ff7799485455
            • Opcode Fuzzy Hash: 8d95b49c85618eb2b177c53d5fc1d0be8710e1ed0688fddcce46fed617a1230c
            • Instruction Fuzzy Hash: A9D1EB365006A0DFCB22EF6AC440AADFBF1FF4A700F098059E855DF252C7B4AA41DB94
            Function 03C3ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
            • API String ID: 0-664215390
            • Opcode ID: 609b6179558d2b36bdaf2e4148e8a5a805fee5a9b0b587ea1ef9254c8254a378
            • Instruction ID: 094cb5c574beef4f3a305ff16bf7ca5abd68ed244ffe17e2058769545b11d1b8
            • Opcode Fuzzy Hash: 609b6179558d2b36bdaf2e4148e8a5a805fee5a9b0b587ea1ef9254c8254a378
            • Instruction Fuzzy Hash: EC3281759042A98BEF21CB15CC98BEEB7B9AF46340F1541EAE849EB250D7719F818F40
            Function 03C62F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
            Download Yara Rule
            Strings
            • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 03CA2881
            • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 03CA29B1
            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 03CA292E
            • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 03CA29AC
            • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 03CA2856
            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 03CA28B2
            • @, xrefs: 03C63180
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
            • API String ID: 0-541586583
            • Opcode ID: 40a2091782d94f94e973cc9a03a77e8252ccdd1551967853365b39d9bf4a9ade
            • Instruction ID: 58116233fb4f055f6fdf8ab5acbadacf25138e040c218d289d45e6445ab6b107
            • Opcode Fuzzy Hash: 40a2091782d94f94e973cc9a03a77e8252ccdd1551967853365b39d9bf4a9ade
            • Instruction Fuzzy Hash: AFC1B07A9006299BDB20DF59CC89BBAB3B4EF44714F0540E9E849EB261E7349E80DF51
            Function 03CB89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
            Download Yara Rule
            Strings
            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 03CB8A67
            • VerifierDebug, xrefs: 03CB8CA5
            • VerifierDlls, xrefs: 03CB8CBD
            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 03CB8A3D
            • AVRF: -*- final list of providers -*- , xrefs: 03CB8B8F
            • HandleTraces, xrefs: 03CB8C8F
            • VerifierFlags, xrefs: 03CB8C50
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
            • API String ID: 0-3223716464
            • Opcode ID: 825b04d19f7739234def045c1c06cf321f9aa785944fd11c356be6b179e93065
            • Instruction ID: 6747114d172dfd9d90bd22384ba2633fe58b06a6fd8a956e8bbcff7edb04711d
            • Opcode Fuzzy Hash: 825b04d19f7739234def045c1c06cf321f9aa785944fd11c356be6b179e93065
            • Instruction Fuzzy Hash: 4A9122B2641391AFC721EF289880FAAB7FDAF65714F4A0459F940EF381C770AE009795
            Function 03C3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: 5668b9cd5a9855ae0e7f1aa326e5913060e24b0953e713bc0d29ff0501a1823f
            • Instruction ID: 009d70cc86bfa44d507a5995e7177088723fde75edcb6e6d8237ee9bcbe0c550
            • Opcode Fuzzy Hash: 5668b9cd5a9855ae0e7f1aa326e5913060e24b0953e713bc0d29ff0501a1823f
            • Instruction Fuzzy Hash: 5CA22875E05629CBDF68DF2ACC887A9B7B5AF45304F1542EAD809EB250DB359E81CF00
            Function 03C2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: 6ccc2362abff2f898f35647126503846a5754878abdb9a2aebe473ff1938aedf
            • Instruction ID: 5601b05e4e032a7c7b429a112b8deb5f94814d330cf8135b89f3dd2bb7448a73
            • Opcode Fuzzy Hash: 6ccc2362abff2f898f35647126503846a5754878abdb9a2aebe473ff1938aedf
            • Instruction Fuzzy Hash: 8742ED752083959FC715EF29C884A2AFBF5FF85608F08496DE486CB392D730EA41CB52
            Function 03C4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: 2460bb24d65d45e29e422bc6442d141af3bc35aa1adca9010bdba2c8b564ae5e
            • Instruction ID: 28b675d987838117330043e859db52ecf93edab2ec4362c1d63bf91e131efdcf
            • Opcode Fuzzy Hash: 2460bb24d65d45e29e422bc6442d141af3bc35aa1adca9010bdba2c8b564ae5e
            • Instruction Fuzzy Hash: 88C14A31A00315ABDF24DF69C894BBEF7A5AF46300F194069E886DF291EBB4DD44D3A1
            Function 03C663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: 219dccb58071c3c288220effa9c38945ba844c7743c43491f92de38d42ebd443
            • Instruction ID: 401a976d6696826e40c6c12aaabc568797d04490f6c7b7937c1e4415a19dc6ef
            • Opcode Fuzzy Hash: 219dccb58071c3c288220effa9c38945ba844c7743c43491f92de38d42ebd443
            • Instruction Fuzzy Hash: 3B916A35A00B159BDB38EF2AD884BBEB7A1FB51728F050128E911EF781D7B49911D790
            Function 03C2645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
            Download Yara Rule
            Strings
            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 03C899ED
            • minkernel\ntdll\ldrinit.c, xrefs: 03C89A11, 03C89A3A
            • LdrpInitShimEngine, xrefs: 03C899F4, 03C89A07, 03C89A30
            • apphelp.dll, xrefs: 03C26496
            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 03C89A2A
            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 03C89A01
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-204845295
            • Opcode ID: 8d5a0df58e80e781088098f38ca2dcf0ad027e496f9607bfb9dab3e1f7c56f32
            • Instruction ID: 7cc16729cb7972056c4f721d5cf1c8180d00cf270400829a0ec8857f95722f7f
            • Opcode Fuzzy Hash: 8d5a0df58e80e781088098f38ca2dcf0ad027e496f9607bfb9dab3e1f7c56f32
            • Instruction Fuzzy Hash: 4551C3752083049FD320EF24D881BABBBE8FB94648F050929F596DB251D770EA54DBA2
            Function 03C6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 03C6C6C3
            • LdrpInitializeImportRedirection, xrefs: 03CA8177, 03CA81EB
            • LdrpInitializeProcess, xrefs: 03C6C6C4
            • minkernel\ntdll\ldrredirect.c, xrefs: 03CA8181, 03CA81F5
            • Unable to build import redirection Table, Status = 0x%x, xrefs: 03CA81E5
            • Loading import redirection DLL: '%wZ', xrefs: 03CA8170
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-475462383
            • Opcode ID: d2ed629003ea68dd92e6fd7bf4bf9bce37fafc9a015559c217567559d64e1bcd
            • Instruction ID: 27c9893bb2149173afc46c104941952e22cdb6c17c1ec651e4f26d593d9eebeb
            • Opcode Fuzzy Hash: d2ed629003ea68dd92e6fd7bf4bf9bce37fafc9a015559c217567559d64e1bcd
            • Instruction Fuzzy Hash: 5D310476744741AFC224EF28D946E2AB7E4EF94B14F050968F881EF291D620ED04D7A2
            Function 03C62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 03CA21BF
            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03CA2178
            • RtlGetAssemblyStorageRoot, xrefs: 03CA2160, 03CA219A, 03CA21BA
            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 03CA219F
            • SXS: %s() passed the empty activation context, xrefs: 03CA2165
            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03CA2180
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
            • API String ID: 0-861424205
            • Opcode ID: c0779794cc62ccabb1866f96a7bd450aa9be9d5577c0630d80ebaaf72d91e9f3
            • Instruction ID: 6916c881a41f950019498c1d2f77126f589f02c97e221302d42998ffb5c3d423
            • Opcode Fuzzy Hash: c0779794cc62ccabb1866f96a7bd450aa9be9d5577c0630d80ebaaf72d91e9f3
            • Instruction Fuzzy Hash: 45310336F40225BBE721CA99CC81F9EB678DB95A44F094469FB04FB241D671EE00E7A1
            Function 03C49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: daffcc6d8008f06c9992b37dbbd4742425974b97aef22cd9124325e6d6057de9
            • Instruction ID: b99420e510eed0d296bd3e94ff0059653329631643a302545806f0db522b9825
            • Opcode Fuzzy Hash: daffcc6d8008f06c9992b37dbbd4742425974b97aef22cd9124325e6d6057de9
            • Instruction Fuzzy Hash: 120257719093618FD720CF65C084BABFBE4BF89714F49896EE889CB250E770D944CB92
            Function 03C7096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 03C72DF0: LdrInitializeThunk.NTDLL ref: 03C72DFA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03C70BA3
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03C70BB6
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03C70D60
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03C70D74
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
            • String ID:
            • API String ID: 1404860816-0
            • Opcode ID: 8374553b33a376a1f9cfeff2e64f0ee135cb9b463430f332d1e25bc4523250f8
            • Instruction ID: c891979abf549073a009fab43709a1dfb70a1a2e4ef72abe91e72617e7b29235
            • Opcode Fuzzy Hash: 8374553b33a376a1f9cfeff2e64f0ee135cb9b463430f332d1e25bc4523250f8
            • Instruction Fuzzy Hash: DE425D75900715DFDB60CF28C881BAAB7F9FF44314F1485AAE989DB241D770AA84CF61
            Function 03CB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: 79eb54cde1f430ea1c6f88a9ff4b3f8a5686d8bccd93161293fb002f78a7517e
            • Instruction ID: cf5ee2fa00da5129fba6b056df96c66990dcde411a878010f2ec42be4a2efa03
            • Opcode Fuzzy Hash: 79eb54cde1f430ea1c6f88a9ff4b3f8a5686d8bccd93161293fb002f78a7517e
            • Instruction Fuzzy Hash: 0B91BE76D006199BCB25CFA9C881AFEB7B5FF4A310F594169E811EB350D735DA01CB90
            Function 00401240 Relevance: 6.5, Strings: 5, Instructions: 212COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: XL$gfff$gfff$/$e$
            • API String ID: 0-4286400639
            • Opcode ID: 2f9646700ae3a2d93317f5ac3b353e5f47748863158e24a07af9ab872f486169
            • Instruction ID: 4a81e33b646a6d8b25d8a93be4fe0199b13e08c9fa26d571f13be2e720a50779
            • Opcode Fuzzy Hash: 2f9646700ae3a2d93317f5ac3b353e5f47748863158e24a07af9ab872f486169
            • Instruction Fuzzy Hash: 21819E71D1060987CB14CFA9D8901EEF7B0EF99314F24826AE808BF3A1E7759A418B95
            Function 03C470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 007d1b1713fb3d472a1f112c5b810a44e4df7210eb4ff6ede76680b73c341911
            • Instruction ID: 1f03a5d7873bcf6f2235eef059de66839e415d2f67846c08c87144ed7772d47f
            • Opcode Fuzzy Hash: 007d1b1713fb3d472a1f112c5b810a44e4df7210eb4ff6ede76680b73c341911
            • Instruction Fuzzy Hash: BA139970A00759CFDB29CF69C8907A9FBB1BF49304F1881A9D859EF381D735AA45CB90
            Function 03C4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • SsHd, xrefs: 03C4A885
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03C97D39
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03C97D56
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03C97D03
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: 9a7e9fcf7fb7303b6e46e36fa7cf8e69821fa18bacf7b222178f6ca3e774e802
            • Instruction ID: d2c9679ee00077479c22a5f2232fa5315c0cb8dca1835d304655d97dcd1ee2f4
            • Opcode Fuzzy Hash: 9a7e9fcf7fb7303b6e46e36fa7cf8e69821fa18bacf7b222178f6ca3e774e802
            • Instruction Fuzzy Hash: 25D17C7AA402199BDF24CF99C880AADF7B5FF58310F19406AE845EF351D371EA91CB90
            Function 03C3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: c5853ead38dd7d6f9be0b807a4534c3be05af2726b5684476bcc36cee8ed3f32
            • Instruction ID: 8a01517463ba27e19304a8470170bb1423d67f8b7f67b32422c087714acd8aad
            • Opcode Fuzzy Hash: c5853ead38dd7d6f9be0b807a4534c3be05af2726b5684476bcc36cee8ed3f32
            • Instruction Fuzzy Hash: A5C187791083869FDB11DF19C044B6AB7F4BF8A704F04886AF8D6CB250E735CA59CB92
            Function 03C68402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 03C68421
            • LdrpInitializeProcess, xrefs: 03C68422
            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 03C6855E
            • @, xrefs: 03C68591
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1918872054
            • Opcode ID: dc65e06a3adfc7e7aec3dc20351c2a4afe7a125c5bddfc3882cbb0cf2ea0e8fd
            • Instruction ID: 0839629b81ca5347fed277f78be385d156b6e2c57770c46ddc6b4beeab6dd20f
            • Opcode Fuzzy Hash: dc65e06a3adfc7e7aec3dc20351c2a4afe7a125c5bddfc3882cbb0cf2ea0e8fd
            • Instruction Fuzzy Hash: 9891AA71508345AFE721EF21CC94FABBAECEB84744F44492EFA84DA150E734DA44DB62
            Function 03C40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 03C954E0, 03C955A1
            • HEAP[%wZ]: , xrefs: 03C954D1, 03C95592
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 03C954ED
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03C955AE
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 9f97ba4c01ddaee27a232c49c474d802d278c49840c44b229a6f1000e64a8be0
            • Instruction ID: 076e8c470aff0b65029a658a9df4aa2a925a25cbc75631ca56e5e76a89266ff1
            • Opcode Fuzzy Hash: 9f97ba4c01ddaee27a232c49c474d802d278c49840c44b229a6f1000e64a8be0
            • Instruction Fuzzy Hash: 82A1FE74644265DFDB24DF29C840BBAFBB1BF45300F188569D59ACB282D330A948DB91
            Function 03C6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • .Local, xrefs: 03C628D8
            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03CA21D9, 03CA22B1
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03CA22B6
            • SXS: %s() passed the empty activation context, xrefs: 03CA21DE
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
            • API String ID: 0-1239276146
            • Opcode ID: fdca7f42b31faa6d844bf742c36a1554693964e4387efbb8b78418a8bde02ee3
            • Instruction ID: b2826c32c868836ce46a7b669e1b236e9d08e5134f462f307af6c926902610be
            • Opcode Fuzzy Hash: fdca7f42b31faa6d844bf742c36a1554693964e4387efbb8b78418a8bde02ee3
            • Instruction Fuzzy Hash: CDA1903590022A9FDB24CF65CC84BA9B3B5BF58314F1949E9D948EB251D730AE81CF90
            Function 03C64AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
            Download Yara Rule
            Strings
            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 03CA3437
            • RtlDeactivateActivationContext, xrefs: 03CA3425, 03CA3432, 03CA3451
            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 03CA342A
            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 03CA3456
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
            • API String ID: 0-1245972979
            • Opcode ID: bc6094d92db7d235661ee4d7756cbc2704b289bdd870a5548db0a9881198253b
            • Instruction ID: 14b4ed1236a9e07fefe198d8f74e7c7537f807d2eb86131f0006d5e54dc96311
            • Opcode Fuzzy Hash: bc6094d92db7d235661ee4d7756cbc2704b289bdd870a5548db0a9881198253b
            • Instruction Fuzzy Hash: 69613536600B52AFC726CF1AC891B2AF7A5EF80B54F19856DE865DF340CB30E900DB95
            Function 03C364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
            Download Yara Rule
            Strings
            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 03C910AE
            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 03C91028
            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 03C90FE5
            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 03C9106B
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
            • API String ID: 0-1468400865
            • Opcode ID: 7ca8d0df423485f8c12aeea5bd1c6239188ed18dfdf36415a2be1d227f16a3d8
            • Instruction ID: 338effffb32494c79954657a6baa63a2a7f2cccea5846046f0f343a6f2306db7
            • Opcode Fuzzy Hash: 7ca8d0df423485f8c12aeea5bd1c6239188ed18dfdf36415a2be1d227f16a3d8
            • Instruction Fuzzy Hash: BC71CEB5904314AFCB20EF14C8C5B9B7BA8AF45764F450469F848CF246D734D688DBD2
            Function 03C5245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 03C9A9A2
            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 03C9A992
            • LdrpDynamicShimModule, xrefs: 03C9A998
            • apphelp.dll, xrefs: 03C52462
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-176724104
            • Opcode ID: 1fbb6fec9c284fa72e024ab28ee06c15c7e06464bb262e95a867f7dde1fbf69e
            • Instruction ID: 1d9065bc166456caeb215efbc335f6d383c297dba8c8199ae071995b1965cf8b
            • Opcode Fuzzy Hash: 1fbb6fec9c284fa72e024ab28ee06c15c7e06464bb262e95a867f7dde1fbf69e
            • Instruction Fuzzy Hash: D7312C3A600341ABEB30EF699845A6EB7B9FB94704F1B045AFC10EF345C7B09981DB90
            Function 03C429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 03C43264
            • HEAP[%wZ]: , xrefs: 03C43255
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 03C4327D
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: 595365267faf5cf0bb4d914e068731d0807d0940b6241abadeed036220044dbc
            • Instruction ID: ce0f1ab0c6a743a4b228ae14fa2d8f55a5782e90b59ec8fce17d7081e1ac042b
            • Opcode Fuzzy Hash: 595365267faf5cf0bb4d914e068731d0807d0940b6241abadeed036220044dbc
            • Instruction Fuzzy Hash: A692BD75A042899FDB25CF69C4447AEBBF1FF48300F188499E89AEB391D735AA41CF50
            Function 03CC02C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: """"$MitigationAuditOptions$MitigationOptions
            • API String ID: 0-1670051934
            • Opcode ID: 4c0d3a59cc5518380e1af5173db2e1481bf20d033b7b162e1514d4a523f8e469
            • Instruction ID: 3ea1d8592fb807729d739c10417bd23cc351ebb61540766d7eaa8c6dc69a2fe7
            • Opcode Fuzzy Hash: 4c0d3a59cc5518380e1af5173db2e1481bf20d033b7b162e1514d4a523f8e469
            • Instruction Fuzzy Hash: 6C22B2B2A24792CFD724CF2AC851626FBE1BBC4310F19892EE5DACB650D771E644CB41
            Function 03C41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: ec4b44d07af2cec73a7b097b9b71eb63ee3394c99a05417f393ca8f009a5e3ba
            • Instruction ID: 38ce2c485ea0a510c28118b3f0696cfbf5c255415c51d3909ce1cf0304c43fe1
            • Opcode Fuzzy Hash: ec4b44d07af2cec73a7b097b9b71eb63ee3394c99a05417f393ca8f009a5e3ba
            • Instruction Fuzzy Hash: 3C2230706006419FEB16DF29C499B7AFBF5EF02704F1A849AE455CF282D736EA81CB50
            Function 03C40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: 78a47837c847e0e564acb9056c43a6515cdfebdcf83bf62b57fe9de0461deabd
            • Instruction ID: e100f5f71dd4729802482125215530a71f7aa6944b1c79e0738688a54b3ef17b
            • Opcode Fuzzy Hash: 78a47837c847e0e564acb9056c43a6515cdfebdcf83bf62b57fe9de0461deabd
            • Instruction Fuzzy Hash: 77F1A735A40605DFEB25CF69C988B6AF7B5FB45300F1981A9E506DF381D730EA81CB90
            Function 03C31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 03C31596
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03C31728
            • HEAP[%wZ]: , xrefs: 03C31712
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 679a9b0cbb8e2aa21bc64eac4cc0cb6b5daa010d046b2f16d485536717ac79c1
            • Instruction ID: 81af117f9f9163f8b94f2f0bc3c279220a7ae9097e3c39daacc4b00415e27fc9
            • Opcode Fuzzy Hash: 679a9b0cbb8e2aa21bc64eac4cc0cb6b5daa010d046b2f16d485536717ac79c1
            • Instruction Fuzzy Hash: 13E10F70A046419FDB29EF69C451BBABBF5EF4A304F1C845DE496CB245E734EA40CB50
            Function 03C56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: 31f0cab33a2a042c6c694c493e9d4bb25dd8d1c2e0738b59bcfc16bfede09a83
            • Instruction ID: 9963b2846c285927d2aa408ff868429a502e28cf0ad00327ad05be377d3d1cce
            • Opcode Fuzzy Hash: 31f0cab33a2a042c6c694c493e9d4bb25dd8d1c2e0738b59bcfc16bfede09a83
            • Instruction Fuzzy Hash: 6AC280716083419FEB25CF25C884BABB7E5AF88744F09896EFD89CB240D734D984CB56
            Function 03C2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: 4fd54bb9ed763a83541d46e30cebaf356249cce895ae621e7e4cb314a123e077
            • Instruction ID: 437486ede257791e510f956bc82f24a55c1816bbb80050964aeae1dedba7d6db
            • Opcode Fuzzy Hash: 4fd54bb9ed763a83541d46e30cebaf356249cce895ae621e7e4cb314a123e077
            • Instruction Fuzzy Hash: B2A16A759012299BDB21EB24CC88BEAF7B8EB44714F0541E9E909EB250DB35AFC5CF50
            Function 00402350 Relevance: 4.0, Strings: 3, Instructions: 232COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$VUUU$gfff
            • API String ID: 0-2314002932
            • Opcode ID: e2d9bae646ff143ff6156ba5af7a744400313c3ad89a4e3ed730c9e34e1465ea
            • Instruction ID: b4b8223d5d3b67d559bfa8bbbe80790d38ab48e119e4305e0106593601ea0efe
            • Opcode Fuzzy Hash: e2d9bae646ff143ff6156ba5af7a744400313c3ad89a4e3ed730c9e34e1465ea
            • Instruction Fuzzy Hash: B971D632B001159BCB18CA5DCE9466EB3A6EB98304F54817BEC09EF3C1E678DE1187C8
            Function 03C50BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 03C9A121
            • LdrpCheckModule, xrefs: 03C9A117
            • Failed to allocated memory for shimmed module list, xrefs: 03C9A10F
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
            • API String ID: 0-161242083
            • Opcode ID: 7a12901cfe28a493510f82ab1de21f712c888322f1fe100f697f03d0285a8255
            • Instruction ID: a12fcd63f7442f2def2e6972638f6847cbece86f5e717f365d59c9ddb1bab344
            • Opcode Fuzzy Hash: 7a12901cfe28a493510f82ab1de21f712c888322f1fe100f697f03d0285a8255
            • Instruction Fuzzy Hash: BF71DD79A00205DFDF24EF68C885AAEB7F4EB55304F1A4469E802EB350E734AE81CB55
            Function 03C40A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-1334570610
            • Opcode ID: 82905533bc8ad381ef63008063431baf3e91267e9ae2ea5c2c765ab8bc211f70
            • Instruction ID: a4444db9046ff2a1fab98f5d3c0409a5b7789aaf8c9d093d41f77213bddd815a
            • Opcode Fuzzy Hash: 82905533bc8ad381ef63008063431baf3e91267e9ae2ea5c2c765ab8bc211f70
            • Instruction Fuzzy Hash: 4361ED706403119FDB29DF29C444B6AFBE5FF45308F1985AAE949CF282CB70E980CB94
            Function 03CDDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 03CDDC32
            • HEAP: , xrefs: 03CDDC1F
            • HEAP[%wZ]: , xrefs: 03CDDC12
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: 5f92ae74f08ae22dd5f3f9fbcc60e3fc3c3db8c055dfaab16816bfa767d60954
            • Instruction ID: ca8eabd843401fdc74dafb188d45ee8cc12f48b773a8a72aafc308990ade9afd
            • Opcode Fuzzy Hash: 5f92ae74f08ae22dd5f3f9fbcc60e3fc3c3db8c055dfaab16816bfa767d60954
            • Instruction Fuzzy Hash: A0514435904250AEE374DE2AC88C772B7E1DF45248F09888AF6D3CF285DA75E942DB60
            Function 03C6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            Strings
            • Failed to reallocate the system dirs string !, xrefs: 03CA82D7
            • minkernel\ntdll\ldrinit.c, xrefs: 03CA82E8
            • LdrpInitializePerUserWindowsDirectory, xrefs: 03CA82DE
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1783798831
            • Opcode ID: c39ae1916284f272e8d67b83b42e3bc39cd1d390205d3df38f6a7e92448940b2
            • Instruction ID: 78c61bcc662049bfcdbdeb0d9ef0a11cb146565d0ef5fd3c0b6a8e0dd7cee46e
            • Opcode Fuzzy Hash: c39ae1916284f272e8d67b83b42e3bc39cd1d390205d3df38f6a7e92448940b2
            • Instruction Fuzzy Hash: B94115B6500310ABC720FB28DC84B5BBBE8FF59750F05492AF988DB250E770E910DB91
            Function 03CEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 03CEC1F1
            • PreferredUILanguages, xrefs: 03CEC212
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03CEC1C5
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: b7a326c172865d660a2d378da5f5985c667c51a4e5e5ba0af82421c2ea68c6f9
            • Instruction ID: a0480f67736134208c97ac29797a3d7e9999c823cfa0305824c3019b0f3446a5
            • Opcode Fuzzy Hash: b7a326c172865d660a2d378da5f5985c667c51a4e5e5ba0af82421c2ea68c6f9
            • Instruction Fuzzy Hash: D0418D76E0020AEFDB11DAD4C885FEEB7B8AB14700F05806AE905FB290D774AA449B90
            Function 03CC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: cbbaa152420b5dfcbaac0e7cc0c92ca32a6b2811f0cdaefc77cec4681095eb85
            • Instruction ID: 6e10281a0cc84889dd7462a7e4249357277955806e16dccee929315d26c2113e
            • Opcode Fuzzy Hash: cbbaa152420b5dfcbaac0e7cc0c92ca32a6b2811f0cdaefc77cec4681095eb85
            • Instruction Fuzzy Hash: 694102759203C88BEB2ADBA6C860BADB7B8EF55340F19445ED841EF391D6359A01CB10
            Function 03CB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            • LdrpCheckRedirection, xrefs: 03CB488F
            • minkernel\ntdll\ldrredirect.c, xrefs: 03CB4899
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03CB4888
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-3154609507
            • Opcode ID: aee55ff02874af0fc01374a5fda4a24b9ba6d014d0833405732720e0de7ae7dc
            • Instruction ID: a33894e1ba7e9c23f903982c4811032c8dd2345cf374c7cb96160e770f7ac5a4
            • Opcode Fuzzy Hash: aee55ff02874af0fc01374a5fda4a24b9ba6d014d0833405732720e0de7ae7dc
            • Instruction Fuzzy Hash: 0141D7336087609FCB29CE6AD440AA6B7F9AF49650F090569EC58EB353D731DD00CB91
            Function 03C40BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-2558761708
            • Opcode ID: 5a1fd4cd56adac063890948782eb4682537432feeea0a153a46e6eb01f846b41
            • Instruction ID: dabadb916800e8e0303c029d17c606890694762bea4a726830a717929ede4f9c
            • Opcode Fuzzy Hash: 5a1fd4cd56adac063890948782eb4682537432feeea0a153a46e6eb01f846b41
            • Instruction Fuzzy Hash: 90112431395250CFEB59D616C444B39F3A8EF42B19F1A80AAE106CF251DB30DC40CB44
            Function 03CB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrinit.c, xrefs: 03CB2104
            • Process initialization failed with status 0x%08lx, xrefs: 03CB20F3
            • LdrpInitializationFailure, xrefs: 03CB20FA
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: 9142230e8e5035fdb776e2b0f8f9e75cbc49eb9074c6a45e4d90a383e1932fb0
            • Instruction ID: 5c0f2f6bc7b6f7ce4dad8e31f31dd53dd44d5ff83605bc2ee087e4196543a361
            • Opcode Fuzzy Hash: 9142230e8e5035fdb776e2b0f8f9e75cbc49eb9074c6a45e4d90a383e1932fb0
            • Instruction Fuzzy Hash: E8F0283A640308BFEB24E60CDC02FD97768EB41B04F050464FA00EF281D2F0AA10EA90
            Function 03C403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: 95eecad1a41a9a1ebbb41433d499da2e898ac58b150ce1197c8b56c08c1a7ec1
            • Instruction ID: 1456d5bfc5b60d24ea47eff171b325440adcc5cda252498e2d8795ea1696fea7
            • Opcode Fuzzy Hash: 95eecad1a41a9a1ebbb41433d499da2e898ac58b150ce1197c8b56c08c1a7ec1
            • Instruction Fuzzy Hash: 06715B76A002499FDB05DFA9D994BAEB7B8FF48304F164065E901EB251EB34EE01DB60
            Function 03C452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: 2d6d0801389f9bf6ba9d1fd230e915b8deede90f359de03dbd4ffc867d1c4450
            • Instruction ID: f0d83d79cfc8e0eb2c83ab1de05bf49b89b4d2a5a44e631d345cf3cb4450851f
            • Opcode Fuzzy Hash: 2d6d0801389f9bf6ba9d1fd230e915b8deede90f359de03dbd4ffc867d1c4450
            • Instruction Fuzzy Hash: A932A8755083118BDB24CF19C484B7EF7E1AF8A750F19492EF986DB290E734CA94CB92
            Function 03C3A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
            Download Yara Rule
            Strings
            • LdrResSearchResource Enter, xrefs: 03C3AA13
            • LdrResSearchResource Exit, xrefs: 03C3AA25
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
            • API String ID: 0-4066393604
            • Opcode ID: ab7e4cb420095f288d97e1551c82f04c53ad3b411e14a0ec272c701ac03293af
            • Instruction ID: 386c2fee5c3880f5558f649efd18f653301be42067c6971bb17abb706d14828a
            • Opcode Fuzzy Hash: ab7e4cb420095f288d97e1551c82f04c53ad3b411e14a0ec272c701ac03293af
            • Instruction Fuzzy Hash: 38E19279E00258AFEF21CF99CD84BAEB7B9FF06314F154466E881EB250DB359A50CB50
            Function 03CFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: f859c663c0bb734eb4a3c39f6d9b6671c0174392a7544de40434cd290343a0fd
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: D9C1DE352047429FDB64CF29C845B6BFBE5AF84318F084A2DFA99CA290D774D645CF81
            Function 03C30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • ResIdCount less than 2., xrefs: 03C8EEC9
            • Failed to retrieve service checksum., xrefs: 03C8EE56
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: 35bf1ce05264805f17f0909b49087b0e955d176d0dfde634ee0cd99f6c6dc379
            • Instruction ID: 177dd187b698b30c6446800f68f0309da3dd2a3a8374052c4b3070258f780ae6
            • Opcode Fuzzy Hash: 35bf1ce05264805f17f0909b49087b0e955d176d0dfde634ee0cd99f6c6dc379
            • Instruction Fuzzy Hash: 8EE1E2B59087849FE324CF15C440BABBBE4FB89315F448A2EE599CB380DB719609CF56
            Function 03CAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Legacy$UEFI
            • API String ID: 2994545307-634100481
            • Opcode ID: 3eef02902b89abdd4aa05481f1817978472cc411fb3d355d4c4e419edb8f570e
            • Instruction ID: 2fb2911126f5376dd9212d302047102411fd69b9a09ad4bae3dc3301d33cd93d
            • Opcode Fuzzy Hash: 3eef02902b89abdd4aa05481f1817978472cc411fb3d355d4c4e419edb8f570e
            • Instruction Fuzzy Hash: BC614C72E00B199FDB24DFBDC880BADBBB9FB44704F144069E559EB291D731A940DB90
            Function 03CD43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$MUI
            • API String ID: 0-17815947
            • Opcode ID: 89b1556abf3a8705550a25bcda0a82399a950b993d12795f53842c3425d552c0
            • Instruction ID: 1335d830c47144d4dab9574ef03cb1c4d72699930fe120519ab6dc75e8294f59
            • Opcode Fuzzy Hash: 89b1556abf3a8705550a25bcda0a82399a950b993d12795f53842c3425d552c0
            • Instruction Fuzzy Hash: 90513875E0021DAEDF11DFA5CC84AEEBBB8EB44754F150529EA11FB280EA309E45CB60
            Function 03C304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
            Download Yara Rule
            Strings
            • kLsE, xrefs: 03C30540
            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 03C3063D
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
            • API String ID: 0-2547482624
            • Opcode ID: 6b5e987297d055e1bc076f770ed07b898329fc5b4ee99bb3cf3ff751e07f94d2
            • Instruction ID: d90a0583e875d1ba038318c3911d9c7e3efbfde96e7018d734d5f260f7806e42
            • Opcode Fuzzy Hash: 6b5e987297d055e1bc076f770ed07b898329fc5b4ee99bb3cf3ff751e07f94d2
            • Instruction Fuzzy Hash: C151CEB65547528FC724EF24C4446A7B7F8AF86300F08483EE9AACB241E770D645CB96
            Function 004010D0 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$gfff
            • API String ID: 0-2662692612
            • Opcode ID: 0208f205687868aae63b6b98f9cd7213e7df5d524723ae18044631c4025decd5
            • Instruction ID: bfe574e46b291233a85e02dcdef4eba4e30d37ff2b862f7b26726bf3653e4f3d
            • Opcode Fuzzy Hash: 0208f205687868aae63b6b98f9cd7213e7df5d524723ae18044631c4025decd5
            • Instruction Fuzzy Hash: E0312872F0011907DB2C885EDD916ABA646D7E8355B5C827BEE09EF3E2F579AE0042C4
            Function 03C3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Enter, xrefs: 03C3A2FB
            • RtlpResUltimateFallbackInfo Exit, xrefs: 03C3A309
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 88ba39bd85ad4c893c8c90f18b7e4ab0a4a50ca6274d3c5e148ef4ed7bbb3257
            • Instruction ID: f6a0a4da448a6ff37b606432ae1ba803537d6f0524f44b2d67a2bb1cf0a2d55f
            • Opcode Fuzzy Hash: 88ba39bd85ad4c893c8c90f18b7e4ab0a4a50ca6274d3c5e148ef4ed7bbb3257
            • Instruction Fuzzy Hash: 4341CF78A04649DBDB11CF69C844B69B7F4FF86700F1944AAEC81DF2A1E735DA10CB41
            Function 03C70FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
            Download Yara Rule
            Strings
            • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 03C71025
            • @, xrefs: 03C71050
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
            • API String ID: 0-2976085014
            • Opcode ID: d78971b7c99b0635360fd0e027ccf6e063eed0249472f2d8c6287f428c0d4f57
            • Instruction ID: a0a9d043cf033bdaadf084e5da09861d487fecf3bfe03549160dfb66e4f04e75
            • Opcode Fuzzy Hash: d78971b7c99b0635360fd0e027ccf6e063eed0249472f2d8c6287f428c0d4f57
            • Instruction Fuzzy Hash: 0E31B476900689AFCB11EFA6CC84F9FBBBCEB85750F010525E901EB250DB759D01DBA0
            Function 03C6A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Cleanup Group$Threadpool!
            • API String ID: 2994545307-4008356553
            • Opcode ID: 034bd1df657e9a62dacee395d7b425ddb4ebac3ad26059b62b49476eda78e57d
            • Instruction ID: 76f1ed01a5308b4fe723c7a860e01327983337c460564caeb5db399b25c21c58
            • Opcode Fuzzy Hash: 034bd1df657e9a62dacee395d7b425ddb4ebac3ad26059b62b49476eda78e57d
            • Instruction Fuzzy Hash: 5A01FFB6244740AFD321DF24CD89F26B7E8EB54B26F018979A658CB290E374E804CB46
            Function 03C3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: f1c59133b1817cf9a0ab131decfb0dfea3b2faaa57a378348a6a973c3ed676e5
            • Instruction ID: be00aaf97956b56916b1b5b7d97fe4a1571b43b83d24ab134b2731902e9abb81
            • Opcode Fuzzy Hash: f1c59133b1817cf9a0ab131decfb0dfea3b2faaa57a378348a6a973c3ed676e5
            • Instruction Fuzzy Hash: EF824C75E002189BDB24CFA9C984BEDF7B5BF4A710F188169D85AEB250DB319E41CF50
            Function 03C82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: P`vRbv
            • API String ID: 0-2392986850
            • Opcode ID: f849b347fc7dff7d1b9845de0d28806afb470cea834059b6b02d841b2ef43be9
            • Instruction ID: 43bfe3ab7374075d124a78a173bce885670fe94b4cc2f55229a1b80659a2f7b6
            • Opcode Fuzzy Hash: f849b347fc7dff7d1b9845de0d28806afb470cea834059b6b02d841b2ef43be9
            • Instruction Fuzzy Hash: 8542E27DD04299AADF29FFA8D8446BDFBB0AF04B18F18905AD441EF280D7358B81CB54
            Function 03C52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 72a7eaf7cc8e56cc8ed2abe6e1ee436b0abd1d9a8e75c0bcbb22e99e38ff597e
            • Instruction ID: 85e08dfcb1a0fc284eb2cb806008690ce3c7f91c9dddbf95a7eb22085ec416ea
            • Opcode Fuzzy Hash: 72a7eaf7cc8e56cc8ed2abe6e1ee436b0abd1d9a8e75c0bcbb22e99e38ff597e
            • Instruction Fuzzy Hash: F1F1B0796087819FDB25CF25C484B6BBBE5AFC8750F09486DFC89CB240CB34DA858B55
            Function 0041640C Relevance: 1.7, Strings: 1, Instructions: 434COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: ec8d8abdb05743ce766ad9bee3cbb3bb551f726dc8d67f3c5027b10d8f340f30
            • Instruction ID: 16b16de77e1442f2cd0262f5e90ee5eb7916a62ea607ce52d1cd1a6577cf202a
            • Opcode Fuzzy Hash: ec8d8abdb05743ce766ad9bee3cbb3bb551f726dc8d67f3c5027b10d8f340f30
            • Instruction Fuzzy Hash: CA120CB6E006199FDB14CF9AD48059DFBF2FF88314F1AC1AAD849A7315D774AA418F80
            Function 0041644E Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: e3778b0d781eefb8811b393bb69ea21ad1f8e5ccadb0f0d3fa5ef0bb672628ea
            • Instruction ID: 31aa822f008f6f596da343e1ad740a9c06bde7424c53ebab665c853f5b14e613
            • Opcode Fuzzy Hash: e3778b0d781eefb8811b393bb69ea21ad1f8e5ccadb0f0d3fa5ef0bb672628ea
            • Instruction Fuzzy Hash: 68021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 00416453 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: f2221d0938b742bd4ba105a26cf42fa73358aa1b34a6551c929fe28e3755621d
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 6A021E76E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 03C32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PATH
            • API String ID: 0-1036084923
            • Opcode ID: 782b45dc364bbbac17c1424fe324914e2c8a6010b78bbe36d1c4c3525d564296
            • Instruction ID: f63a8d3011b777662e3d77c456c32564c3cfe19375716406d70bf68f99a1593e
            • Opcode Fuzzy Hash: 782b45dc364bbbac17c1424fe324914e2c8a6010b78bbe36d1c4c3525d564296
            • Instruction Fuzzy Hash: F6F1D37AD00258DBCB25DFA9D880ABEBBB1FF9A700F494029E841EB350D775E941CB51
            Function 03CBEFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: __aullrem
            • String ID:
            • API String ID: 3758378126-0
            • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
            • Instruction ID: 25a60684bfd8679bc49520583e842c00498a1cd8ae4972b6c73b0d43b8b6371d
            • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
            • Instruction Fuzzy Hash: FB418E75F002299BCF18DFB9C8805AEF7F6FF88310B198679E615E7390D634AA518790
            Function 03C30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: fbaf9936e9123821a492d56ca45ed1a1daace3bde71f0748d9804f1b1800625c
            • Instruction ID: 912b5104630a4608ee12ec42806349a05d3a2cf8080956f54a22822f56e8015b
            • Opcode Fuzzy Hash: fbaf9936e9123821a492d56ca45ed1a1daace3bde71f0748d9804f1b1800625c
            • Instruction Fuzzy Hash: 61A10B33A043786BDF64DB298840BFEA7A95F46308F0940D9ED87EF281CA759B44CB55
            Function 03CB6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: a78aeaaf369728387f7217a29c5ac3f87eb046d7f3349213f54a000321b75ab8
            • Instruction ID: 0040529b29d1ade626c22fc14bdb588b45ccbe5271632098fb52d34a62feaa4d
            • Opcode Fuzzy Hash: a78aeaaf369728387f7217a29c5ac3f87eb046d7f3349213f54a000321b75ab8
            • Instruction Fuzzy Hash: 68918E76A40218AFEB21DB94CD85FEEB7B8EF08B50F150065FA00EF190D674AD54DBA4
            Function 03C6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalTags
            • API String ID: 0-1106856819
            • Opcode ID: 4f3e426a6e092e9f6209aa5eb0ce3fc0d2c0af962f2ec626ba6c3c08e6782a70
            • Instruction ID: 89f174274dab451a1fc6c813c47b92bd799d84f0eb91e9922cf15142aeef4ff4
            • Opcode Fuzzy Hash: 4f3e426a6e092e9f6209aa5eb0ce3fc0d2c0af962f2ec626ba6c3c08e6782a70
            • Instruction Fuzzy Hash: 0C716D76E0071ADFDF28CF9DD5906ADBBB5BF48708F18816AE806EB240E7309951CB54
            Function 00402150 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff
            • API String ID: 0-1553575800
            • Opcode ID: 39a769b787ebf44fb97fefec5227ed7203e71841f9cea0e7e6503a04567e17ee
            • Instruction ID: 8188392f8480d5014db62e8dcf3b9b14fb250bb746840cd88067a7026db6a44a
            • Opcode Fuzzy Hash: 39a769b787ebf44fb97fefec5227ed7203e71841f9cea0e7e6503a04567e17ee
            • Instruction Fuzzy Hash: F5512832B0000A07DB1C885DDEA82BA6643D7E4315F98827FDD86DF3D5E9BC6D465289
            Function 03CD4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .mui
            • API String ID: 0-1199573805
            • Opcode ID: adb3cdadb892e76e7fb0c051bc163331a124d38600b91e8508a6912759d634fa
            • Instruction ID: a85f0af5cfdfb060d0dd130da16e22a4f007308bf16762895f9e6f4d3f17ca9e
            • Opcode Fuzzy Hash: adb3cdadb892e76e7fb0c051bc163331a124d38600b91e8508a6912759d634fa
            • Instruction Fuzzy Hash: D9518476D00729EBCF14DF9AC845AAEF7B4AF05600F05412AFB15FB250DB349901CBA4
            Function 03C4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: EXT-
            • API String ID: 0-1948896318
            • Opcode ID: 0200ea529325244b393a737650f9485cba1dd6f3ab1f63c0ddf4fea734fc16e9
            • Instruction ID: 4335949ac091f3bb2257cc2a482c11d74beba7f38266440c0ead934b456c19ab
            • Opcode Fuzzy Hash: 0200ea529325244b393a737650f9485cba1dd6f3ab1f63c0ddf4fea734fc16e9
            • Instruction Fuzzy Hash: F841B0765083519BD710DB75C984B6BB7E8BF88714F060E2DF984DB180EB74DA04C796
            Function 03CAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: BinaryHash
            • API String ID: 0-2202222882
            • Opcode ID: 430cc3a3e55188feac1b2f015b2d9fe2b94c824a6a38076275052869432745e2
            • Instruction ID: 78e54c4b5aba878866798ae7a5e83c245f2b725816f6fa7ea74367d5daf8b567
            • Opcode Fuzzy Hash: 430cc3a3e55188feac1b2f015b2d9fe2b94c824a6a38076275052869432745e2
            • Instruction Fuzzy Hash: 9B4165B6D0062DAADB21DB54CC84FDEB77CAB44718F0185E5EA08EB140DB709E889F94
            Function 03CB07C3 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: F(u
            • API String ID: 0-578476829
            • Opcode ID: f25a961c4e85de9823927405a97c4498d2ff3ab25c9f4f3b92faa8c0e0090d9a
            • Instruction ID: 34aac23f4416db84a7a934515f484c0309b5a415bcc176aaa51e329bcc4f6756
            • Opcode Fuzzy Hash: f25a961c4e85de9823927405a97c4498d2ff3ab25c9f4f3b92faa8c0e0090d9a
            • Instruction Fuzzy Hash: 0C417D725083509FD760DF29C845B9BFBE8FF88664F004A2AF998DB251D770D904DB92
            Function 03CC6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: e7cb21aef9ceda3d4f2e935f494e271472f5e09d4d1f03e02529b78d726c8b8b
            • Instruction ID: 1b4b4b0e569a55b56b0b65cde143f6751671adb671dce43ff4be0ad189f832b6
            • Opcode Fuzzy Hash: e7cb21aef9ceda3d4f2e935f494e271472f5e09d4d1f03e02529b78d726c8b8b
            • Instruction Fuzzy Hash: D8312231A103889BDB22DB69C950BEEBBB8EF05704F18406CE841EF281CB75ED15DB90
            Function 03CD0F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
            • Instruction ID: 64ec16eb6c048dfc037911bff1db983c7d6bd79c46a68aae3f6f6cb650df02c6
            • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
            • Instruction Fuzzy Hash: 35319E71018385AFD350DF15C849E9BFBE8EF84750F444A2EB694CA290E7B0E908CB92
            Function 03CACA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: BinaryName
            • API String ID: 0-215506332
            • Opcode ID: 657a6eda4be2f3543afd914676c8d3ff11c73453e1926413517ba1864287003a
            • Instruction ID: 65d63809907d1765729e2bea981dbae9154ff1631ff5e2d075b976f14b83b930
            • Opcode Fuzzy Hash: 657a6eda4be2f3543afd914676c8d3ff11c73453e1926413517ba1864287003a
            • Instruction Fuzzy Hash: 6F313576D40A1AAFDB15DB4DD844E7FF7B8EB80714F058169A811EB250DB319E00C7E0
            Function 03CB892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
            Download Yara Rule
            Strings
            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 03CB895E
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
            • API String ID: 0-702105204
            • Opcode ID: 8094bd0af0d9df4828f05d780df82afa55922333f0b88a03b684aec4a5b94587
            • Instruction ID: 8428fa3dd818164878e159c74c657165aa54b93b476a8794376d5f7378ad395a
            • Opcode Fuzzy Hash: 8094bd0af0d9df4828f05d780df82afa55922333f0b88a03b684aec4a5b94587
            • Instruction Fuzzy Hash: 6801F736A003509FDB25FA569C84EEABB79EF96654F090428E541CE152CB30AD44E692
            Function 03CE6FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
            Download Yara Rule
            Strings
            • Critical error detected %lx, xrefs: 03CE7027
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Critical error detected %lx
            • API String ID: 0-802127002
            • Opcode ID: efbe8664052ab2e0151e6a669fd39e7985aa550eee735fa12e0bccb2b9ebaa55
            • Instruction ID: 50b38e437ee1883b6f7f1a5c4af9b3f9e088f34cd71ab1f498c7d06b9ff12b2e
            • Opcode Fuzzy Hash: efbe8664052ab2e0151e6a669fd39e7985aa550eee735fa12e0bccb2b9ebaa55
            • Instruction Fuzzy Hash: 0A113976D043488FDB25DFA8D8017DDFBB1EB04719F24412AD165EB282E7755601CF14
            Function 03C6E8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f7c87b017e63eb1d37c46f99fb574e988fe9e4c6e26dd43fd6ea7f968834a65
            • Instruction ID: 77e2d6e610ac0f751d21e36ed232b59c106f730ce7cbada229b736d6be9c1ad8
            • Opcode Fuzzy Hash: 2f7c87b017e63eb1d37c46f99fb574e988fe9e4c6e26dd43fd6ea7f968834a65
            • Instruction Fuzzy Hash: 23822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB345DA34AC568B45
            Function 03C7516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e8951be3170c0f1d402c877f11a9390d45954068cf374fa42594c689c5ab8496
            • Instruction ID: 621660b7852f931ecb883d1f6bb2267c3c783f2d6b5b3b6c9bc10abaac333aeb
            • Opcode Fuzzy Hash: e8951be3170c0f1d402c877f11a9390d45954068cf374fa42594c689c5ab8496
            • Instruction Fuzzy Hash: 54628D7690464AAFCF24CF18D4905AEFB62BA56314F49C69CCC9AEB604D731BA44CBD0
            Function 03CD2000 Relevance: .8, Instructions: 757COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb0abd8ead173dc20b45f5b25cf9d29dfbeeaf27a861cefa3e0b15cdb922513d
            • Instruction ID: bf225dafd1e823eda84cef0b533311f354809821f1bffb15a72310a343fc0fb7
            • Opcode Fuzzy Hash: eb0abd8ead173dc20b45f5b25cf9d29dfbeeaf27a861cefa3e0b15cdb922513d
            • Instruction Fuzzy Hash: 0B42DD366083418FD725DF69C890A6BF7E9AF88300F094D2DFA82DB250D771EA45DB52
            Function 03C8739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b840e4733519fadc3d9307634be246aea2f36b6c202992ccd72977f2bb4e50fe
            • Instruction ID: beb68af9dd1063871adc36d8ded1ce583a87e2c686d53affaa9ebc4275dd1edf
            • Opcode Fuzzy Hash: b840e4733519fadc3d9307634be246aea2f36b6c202992ccd72977f2bb4e50fe
            • Instruction Fuzzy Hash: 4A429175A006168FDB15EF59C4806BEF7B6FF88318B28856DD552EB340E734EA42CB90
            Function 03C85AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 03C5B2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 373c7826561699dc3d5aca93c4d672f5c0483be2f5678bb18a9fe4d06248e608
            • Instruction ID: 77b09d09677fc85c6ab31df57f2df1c4936ad803d6b7002ea21d41b0b8aa1c2f
            • Opcode Fuzzy Hash: 373c7826561699dc3d5aca93c4d672f5c0483be2f5678bb18a9fe4d06248e608
            • Instruction Fuzzy Hash: D7329976E002199BCF24DFA8C884AAEBBB1FF54714F190029EC05EB381EB359D41CB94
            Function 03CC8158 Relevance: .6, Instructions: 617COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e517f0956ffd44887f40ed7793f9bd5fd07f9ad37621ad8fa5c3a882db9d706a
            • Instruction ID: 714e461ee81374bc0acaa7fb164c481b9a56445cad93ac4ac82ec070d8ef19c7
            • Opcode Fuzzy Hash: e517f0956ffd44887f40ed7793f9bd5fd07f9ad37621ad8fa5c3a882db9d706a
            • Instruction Fuzzy Hash: E7423975A103599FDB24CF69C881BAEF7B5BF88300F19819DE949EB241D734A981CF60
            Function 03C42840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 049e87d4e451a4083991cb2db1116da627717ee9c7cd5c8951fc22d8579f314a
            • Instruction ID: e8605782b5a4978f14ce85bad56ed8af3f2f6184850bbd4d5c87c7154d6ee156
            • Opcode Fuzzy Hash: 049e87d4e451a4083991cb2db1116da627717ee9c7cd5c8951fc22d8579f314a
            • Instruction Fuzzy Hash: BD320E74A007558BEF24CF6AC8487BEFBF6AF84320F1A455AE446DF284D735A921CB50
            Function 03CDA118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 480222e85fa6bbf1c0fd7fba6e02e9a616ebf13f43d33f306fbd067993b0fb5c
            • Instruction ID: 64f2683dfbd8f484c7e36b3ae689a9b624088853f97251c668ef6c63b7a3c77c
            • Opcode Fuzzy Hash: 480222e85fa6bbf1c0fd7fba6e02e9a616ebf13f43d33f306fbd067993b0fb5c
            • Instruction Fuzzy Hash: E422AD78204651CFDB24CF2AC094772B7F1AF45300F18889AFA96CF685E735E692DB61
            Function 03CF16CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: afcba136958c0d2f52006177652e323338911490b871630f98f5a3ccebbb11ae
            • Instruction ID: 0efa3fa15b15182e0a8be9f85d01267a049cd5cfb1fa2c26033f31bb78de6074
            • Opcode Fuzzy Hash: afcba136958c0d2f52006177652e323338911490b871630f98f5a3ccebbb11ae
            • Instruction Fuzzy Hash: A5228035A00216CFCB59CF59C490AAAF7B6FF88314B2D456DDA56DF344DB30AA41CB90
            Function 03C5FB80 Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 240b4920a2ddec6e511c4b7b971baa932756a04fbb1e6775d05e48a26fbdc642
            • Instruction ID: dfb54ad5c3e970a727378f14fce1b0289943fe7c6e2ccc0a9e19560a6a4fa58b
            • Opcode Fuzzy Hash: 240b4920a2ddec6e511c4b7b971baa932756a04fbb1e6775d05e48a26fbdc642
            • Instruction Fuzzy Hash: 7C22D37590061AEFDB14DFA8C880BAEB7B5FF44358F1485A9E814DF245E730EA85CB90
            Function 03C58DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19ad5b167e43cc9a51cb77d41b2704fd78edf76dbf7847f2aece7d52f87feb43
            • Instruction ID: 9d61acf876348ec261f6e80cb6f73a466d91dd2ff633a283da447a94123f8716
            • Opcode Fuzzy Hash: 19ad5b167e43cc9a51cb77d41b2704fd78edf76dbf7847f2aece7d52f87feb43
            • Instruction Fuzzy Hash: 41225E74E00216DBDF14CF95C4849BEFBF6BF48704B19819AE846EB241E774EA81CB64
            Function 03C36A50 Relevance: .5, Instructions: 548COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f562db667df242ee707082e34ce0c72deb3831fd1b14637828057cbd320c4aad
            • Instruction ID: 32ef86c1fac9263ddb56f2912448d7e20503fe1134a5daf4dccc3a3afe44dcb9
            • Opcode Fuzzy Hash: f562db667df242ee707082e34ce0c72deb3831fd1b14637828057cbd320c4aad
            • Instruction Fuzzy Hash: DF329C75A01205DFDB24CF69C480BAAB7F5FF49300F1985AAE856EB391DB30E951CB90
            Function 03CF2446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2858f221d82e5dea364321fa68a241d704ba14e4d5be273df83f245aab8ff58e
            • Instruction ID: 0c20314ab419698c5892a2f7b87591e97b45e0e65ace7d5cc5c4af929b50604e
            • Opcode Fuzzy Hash: 2858f221d82e5dea364321fa68a241d704ba14e4d5be273df83f245aab8ff58e
            • Instruction Fuzzy Hash: 660204796046518FDBA4CF2AC450375FBF1EF85300B19899AEAD6CF281D734EA42DB60
            Function 03D0B16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54927d9dc4ad27ff5527c6dc0caa83e755990f2780f6c778783c7222936e7a85
            • Instruction ID: 2fb3835cefedcf4f5160eb4aaa2ba4f99a794f9eaac93e729dd011a9e1c6e483
            • Opcode Fuzzy Hash: 54927d9dc4ad27ff5527c6dc0caa83e755990f2780f6c778783c7222936e7a85
            • Instruction Fuzzy Hash: D7F1E572E046118BCB18CFB9C9A077EFBF5EF98600719416AD4A6DB3C0D674EA41CB90
            Function 0040FD13 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: 998763cf03f938bb49475f3d624baab98bfa2fc8c1985b3692c083e1dfcb63f2
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: C2026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA39BA525A90
            Function 03D0A9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05ad5870a95c0dec24100b27634f4e8665db5764e8f9d177e7894394216b9e57
            • Instruction ID: 67742d581f7ca19ccbd65b9e80646d9f10d785d3794b6141b6bd11a4e304851f
            • Opcode Fuzzy Hash: 05ad5870a95c0dec24100b27634f4e8665db5764e8f9d177e7894394216b9e57
            • Instruction Fuzzy Hash: DEF1D677E006269BCB18CE68C5A06BDFBF5EF45610B1A426AD856EB3C0D734DE41CB90
            Function 03C54A35 Relevance: .4, Instructions: 423COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
            • Instruction ID: 295f0f0a406ba503d875f61a7995b890481f478bcb77322bba90c494dedd253e
            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
            • Instruction Fuzzy Hash: 2AF15E71E006199BDF18CF9AD584AAEF7B5AF48710F0A8169EC05EB240E774ED81CB64
            Function 03CC892B Relevance: .4, Instructions: 386COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4269d904649e7f988c9cb7f91c48391500a8e75596008b65f0b1e8b7609c815
            • Instruction ID: 65c11e412982df374208c2a5136e9b8c433558ab593890544a7d48c09a3db04f
            • Opcode Fuzzy Hash: d4269d904649e7f988c9cb7f91c48391500a8e75596008b65f0b1e8b7609c815
            • Instruction Fuzzy Hash: B8D1F072A1074A9BDB04CF69C851AFFB7F5AF88304F19816DD855EB240EB35EA01CB60
            Function 03C365D0 Relevance: .4, Instructions: 383COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b202a93049f28f043bf0851cd72081d0c55edd3e22171d3c627e779f2665acc0
            • Instruction ID: 0a1650a975e1452010ad487f9d49c8eb4bb51a71b82c5eb1ec29d78f94e816a9
            • Opcode Fuzzy Hash: b202a93049f28f043bf0851cd72081d0c55edd3e22171d3c627e779f2665acc0
            • Instruction Fuzzy Hash: FAE18B71508341DFC714DF28C090A6ABBE4FF8A314F098A6DE899CB351DB31EA15CB92
            Function 03C28397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68632295a5e6b08fc4f35686167cbf91b5494f782c55964ed413408bc94fea54
            • Instruction ID: a9ceee2fd36f8d5c220c0074a4cc8a1b4b06f0ee7f88a381e489b7d4631cc9e9
            • Opcode Fuzzy Hash: 68632295a5e6b08fc4f35686167cbf91b5494f782c55964ed413408bc94fea54
            • Instruction Fuzzy Hash: 4CD1C475A007269BCF14EF65C890ABABBB5BF44708F094629F915DF280EB34EA45CB50
            Function 03C5C6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dcf7e154ba3d11db12221a79477c9d077c09de4965553be051bdbd2eb90796dd
            • Instruction ID: 2a4a86ed1cb7e697710a7a7c0f4162716b8915deaaea04eeb9b21f1541bace45
            • Opcode Fuzzy Hash: dcf7e154ba3d11db12221a79477c9d077c09de4965553be051bdbd2eb90796dd
            • Instruction Fuzzy Hash: 29D14C72E043198BDF28CA99C5843BDBBB5FB54344F19C06AE842EB695D7748AC1CB48
            Function 03C438E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e7952a73fcb0c06d3ae1428ad145019e6c7a3ac904cd06d2ef93a2566d25f672
            • Instruction ID: ea38034448a7249a0b47cf1357cf7215789ae1e2ddaf55fdfb4c685866b0bcfa
            • Opcode Fuzzy Hash: e7952a73fcb0c06d3ae1428ad145019e6c7a3ac904cd06d2ef93a2566d25f672
            • Instruction Fuzzy Hash: 0AE17D75A002458FDB18CF59C884BAAF7F5FF98310F19819AE855EB391D730EA51CB90
            Function 03C4CFE0 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47f9d116f930cc40313cfd420fff7415493c598fc89b5355c3ebff360374c387
            • Instruction ID: d9ab39af31f9c792273f977cd750dcd40d7268fb34ea03c6cb8938fe6e8f5535
            • Opcode Fuzzy Hash: 47f9d116f930cc40313cfd420fff7415493c598fc89b5355c3ebff360374c387
            • Instruction Fuzzy Hash: F7D1C431B003198FDB34EB25C898BAAF7B5BB45314F0940E9D90ADB242DB75AE85CF51
            Function 03CB8243 Relevance: .3, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
            • Instruction ID: d334c1a31b82a34959d35abcfe95cdf579f016b65461ef4716b7bcd4152f0a78
            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
            • Instruction Fuzzy Hash: CFB13E78A00748AFDF24DF95C980AEBB7BDFF84304F144469A942EB790DA35EA45DB10
            Function 03C40535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 0f259f5ac383e79320f5477814559ae95be2d4b5d80856cf2eb3fde404c9d76d
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: 5BB12535600655AFEF25DB69C844BBEFBF6EF84200F1A0199D642DF281DB30EA41DB90
            Function 03C383C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4aba702a05b78d9ca217e2124169597e92c1977c8e2086359d66209299cb692
            • Instruction ID: 62cb4eb96a79b102cad59048c22df6155458c89986f8e7f3f7ade8214e11a4d3
            • Opcode Fuzzy Hash: d4aba702a05b78d9ca217e2124169597e92c1977c8e2086359d66209299cb692
            • Instruction Fuzzy Hash: 68C169741083418FEB64CF15C495BAAB7E4FF88704F49496EE989CB290D774EA08CF92
            Function 03C2C427 Relevance: .3, Instructions: 280COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a126cc533741330823b500f1bef7ac44ac031766fc05b0b51e3d6e1d4182cdf
            • Instruction ID: 070dd588c25f9100a553265fa6ec55458797a38a73f41ac4b45bcacb20c12b26
            • Opcode Fuzzy Hash: 2a126cc533741330823b500f1bef7ac44ac031766fc05b0b51e3d6e1d4182cdf
            • Instruction Fuzzy Hash: 49B17F74A002698FDB64DF55C880BADB7B5AF44704F05C5EAD80AEB240EB70DEC5DB20
            Function 03C5E5E7 Relevance: .3, Instructions: 278COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0865659904de008eaae6a2db739268bece3a6f07209b29c4e0d8a48bb4a0bf8a
            • Instruction ID: 77a6909795444cbd25613e0f46b0cc70826a352e8f574da8663918f70a303ce8
            • Opcode Fuzzy Hash: 0865659904de008eaae6a2db739268bece3a6f07209b29c4e0d8a48bb4a0bf8a
            • Instruction Fuzzy Hash: 62A10431E006189FEF21DB69C848BEEB7B4AB05754F0A4156ED50EF290DB749F80CB95
            Function 03C70185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c968b0e4dd8eab9e6e16fce3eb331ef7f573e6de141b791e9f311a0e7e6852fd
            • Instruction ID: 3bf16fdc07a13450a0073aa4b36b2845eb358b136bba97ba829e7be4bddeb119
            • Opcode Fuzzy Hash: c968b0e4dd8eab9e6e16fce3eb331ef7f573e6de141b791e9f311a0e7e6852fd
            • Instruction Fuzzy Hash: A8A1C175A0072ADBDB24DF6AC991BAAB7F5FF44318F044129EE05DB281DB34E901DB50
            Function 03D04500 Relevance: .3, Instructions: 275COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c9360d419c71d241030d9b8f6ee13eb6a60952933528e99a83b6de21497401f0
            • Instruction ID: f4c18fac87e7d30ec411c5654bbe7761e3affa1eab0558d0c96da35fcc3cb442
            • Opcode Fuzzy Hash: c9360d419c71d241030d9b8f6ee13eb6a60952933528e99a83b6de21497401f0
            • Instruction Fuzzy Hash: 8CA1AA72A04651AFC721DF29C980F6AB7F9FF88B04F450968E685DB690D734E901CF91
            Function 03CB60E0 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 43daf1486e112ea1653f4aa484bcc75e2c4297b6cb4f4da2e294b0fd9e39aaf8
            • Instruction ID: 24d1ab849e22ac93968fd24f81458c50e30096d4dfd797de98819199cfa9600c
            • Opcode Fuzzy Hash: 43daf1486e112ea1653f4aa484bcc75e2c4297b6cb4f4da2e294b0fd9e39aaf8
            • Instruction Fuzzy Hash: 0D91B071E00215AFDB15CFA8D884BEEFBB9AF48700F154169E951EB340D738EA509BA0
            Function 03C4E3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40faecd83f0643dfe04d81da684b845ea0da2725f9d89854bf38603903f914d7
            • Instruction ID: ffce50bc57664964dd1f114cd67254298e06f74f0dee9c3d5f080b6400e3ded6
            • Opcode Fuzzy Hash: 40faecd83f0643dfe04d81da684b845ea0da2725f9d89854bf38603903f914d7
            • Instruction Fuzzy Hash: 1A910436A007258BEB24EB79D448B7EB7A5FF84714F0B40AAE805DF240EB34DA41C791
            Function 03C64750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: efd3e8be87051e0fd9e9441e3d5e9dbe69e9fdfdf7e403425c2bfb53e152fa67
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: 48817A36E047D68FDB29CEAEC8D02ADFB55EF56204B2C467AD542CF241C225D986C391
            Function 03C7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: d1b85583018ec38e75dc2f59bb9a0644196fe3bc11a8fcc41409d20e9a8cd483
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: BA915372620A06CFD725CF2DC889662BBE0FF55364F188A18E8E7DB6A0C375E511CB10
            Function 03CFF7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7d2117f0242b49a1b4a6a81cc0f584b7417b60f386dd1649b1b14860ec85de9e
            • Instruction ID: 1ab1bb397fae8db0cc5f5d43c9b330d412ac7f659a65b13ab1eb714cd332bae0
            • Opcode Fuzzy Hash: 7d2117f0242b49a1b4a6a81cc0f584b7417b60f386dd1649b1b14860ec85de9e
            • Instruction Fuzzy Hash: 4291E372E00206AFDB54CF29C8807AABBE5EF49310F19857CEA55DF291D774EA11CB90
            Function 03CFF43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aadfba181bc8f3040fadc7f8b18cb582a8cabe5b5f0588eff71b90d0f5db444c
            • Instruction ID: d2d5e7ab0bb989b80f264209c4240dbc526ab3b171d76463b2702763faf041e3
            • Opcode Fuzzy Hash: aadfba181bc8f3040fadc7f8b18cb582a8cabe5b5f0588eff71b90d0f5db444c
            • Instruction Fuzzy Hash: E691C072A005159FCF58CF69C8906BEBBF2EF88310F1986ADE915DB395D634EA01CB50
            Function 03CF81CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 18c555c25d69994f8bd0e23118e91006bd4adfb96ce148a0f86c801ab0d395ee
            • Instruction ID: 1d25c771b4c5f0aeee939aaec364c3ecedd5e36369cb6ae23ff478c2bae81daa
            • Opcode Fuzzy Hash: 18c555c25d69994f8bd0e23118e91006bd4adfb96ce148a0f86c801ab0d395ee
            • Instruction Fuzzy Hash: 7D81B472E006199FCB54CF69C8805AEB7F5FF88310B19426AD925EB280D774EA56CB90
            Function 03C40E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d59b03abed515b4f2fad9274ae49d856599978870cf4b289318d1b240bdaa69
            • Instruction ID: 99ead5978fb694f098e716396c04fa592e9b5c299babc63e145b95d7a096ceaa
            • Opcode Fuzzy Hash: 3d59b03abed515b4f2fad9274ae49d856599978870cf4b289318d1b240bdaa69
            • Instruction Fuzzy Hash: 3D819631A00669DFDB14CE5AC8849AEFBB2FF85210B29C2A5E954DF345D730DA41CB90
            Function 03C86ACC Relevance: .2, Instructions: 226COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: faedda3dd3d55e8d16c9ed00ffdfafb6b7772d52263c2feb2f9306735c662c9a
            • Instruction ID: e0ddb27cf3018ce6b7b71aeb2f811e92953fa408b723c751c38d005655ef2d3f
            • Opcode Fuzzy Hash: faedda3dd3d55e8d16c9ed00ffdfafb6b7772d52263c2feb2f9306735c662c9a
            • Instruction Fuzzy Hash: 1381A471A006159BDB18DFA9C840ABEF7F9FB48708F14852EE945EB640E734DA50CBA4
            Function 03CEE4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baedd80ead76611a0c6d4f54bccb2bf23cf405e8b0c0feca065e2083989cd16f
            • Instruction ID: 5e6a269567cd9af300997dde59159680c6026540f25beebd6cf87a9e2cd56cfd
            • Opcode Fuzzy Hash: baedd80ead76611a0c6d4f54bccb2bf23cf405e8b0c0feca065e2083989cd16f
            • Instruction Fuzzy Hash: 0B819176E002159BCB18DFA9C5906ADFBF5EF88350F19816AD816EF385D7309E41CB90
            Function 03CFAB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: 802b6d236b02fb566779e7483cc2d4b5b1324042d2939d4b5eda4bacd32e3eeb
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: 62816039A102059FCF58DF99C890AAEF7B6EF88314F198169D91ADB344DB34EA01CF50
            Function 03C6E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0bc85a5d6b5c71eb57af0a1e3d5930a17f5fc452298a005f0e80274d198f4f74
            • Instruction ID: acdb49ab7eff64c3e105249ac2daf81580f3f6fd02ddeee266a5844d6a300250
            • Opcode Fuzzy Hash: 0bc85a5d6b5c71eb57af0a1e3d5930a17f5fc452298a005f0e80274d198f4f74
            • Instruction Fuzzy Hash: C1818E75A00709AFDB21CFA9C980AEEF7FAFB88344F14442AE455EB250D730AD45DB60
            Function 03C5B950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b942fbcfdf2fe81860387f48d3e49ebbc4c1a62c9c37e9fda2e59d0571900f5b
            • Instruction ID: 5050346fe402aaf2ce82735ca1f647b563cc8c68b92da7bde6ba239e79c5cc1a
            • Opcode Fuzzy Hash: b942fbcfdf2fe81860387f48d3e49ebbc4c1a62c9c37e9fda2e59d0571900f5b
            • Instruction Fuzzy Hash: 7171D4342047548EEB24CE2AC944736BBE1AB94704F19855EFC96CF1C8DB36ED82DB64
            Function 03C4C640 Relevance: .2, Instructions: 206COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 961af957aecc1f58b36449347d53a0a4596c3020dd933b1b6803ce10e0e60f88
            • Instruction ID: be6563652cba9969931ec7a8285d1b9dde2335a275badaf441bf53c949b5c4a9
            • Opcode Fuzzy Hash: 961af957aecc1f58b36449347d53a0a4596c3020dd933b1b6803ce10e0e60f88
            • Instruction Fuzzy Hash: 6071EDB6C01266AFDB25CF59C9907BEBBB4FF59700F15815AE842EB360D7709900CBA0
            Function 03CEDAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f77085f52588d44e61f6fa105c26e566d17499408ce1b33f813454099e58a7d
            • Instruction ID: bbc80a8c7f86790d88d1addd4fab54732ee52cd7c3d8a54c12301cc8b2eb1109
            • Opcode Fuzzy Hash: 4f77085f52588d44e61f6fa105c26e566d17499408ce1b33f813454099e58a7d
            • Instruction Fuzzy Hash: 64818A70E003A59FDB24CF6AC448AAAFBF1EF49740F048499E496EB285D374D941DF60
            Function 03C4260B Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9dce0243f801cfd8d3e546f4da066e12b5fd28e11cf2e2dd7f25a8d7cfd55d89
            • Instruction ID: 1b50a3005f9564603b728089805cb6684cfa7d90e0c62c581a923bb966174aa3
            • Opcode Fuzzy Hash: 9dce0243f801cfd8d3e546f4da066e12b5fd28e11cf2e2dd7f25a8d7cfd55d89
            • Instruction Fuzzy Hash: 2071EF356046419FD311DF29C485B6AB7E5FF88310F0A89AAF898CF351DB38D946CBA1
            Function 03CF70E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 85796e0c95d6f6702691d0380363dd2d154123b8da077525889db2eb793d0c65
            • Instruction ID: 621dd9b3bcd505324f97fbe2d246ba7d53260be8629dc65d6ce882c396671820
            • Opcode Fuzzy Hash: 85796e0c95d6f6702691d0380363dd2d154123b8da077525889db2eb793d0c65
            • Instruction Fuzzy Hash: 7D61F575E00316EFCB50EFA5C881ABFB779AF44240F15842AEA15EF240DB74EA459B90
            Function 03CEF0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aff80506c5894f0cdd70ce11c4eef3ac30b7a10cf8f177fd289ace0cb8bd49bd
            • Instruction ID: 3202fd075602b999928403ddec77754a03fc7e169e73f22b5c24f5becc77aa35
            • Opcode Fuzzy Hash: aff80506c5894f0cdd70ce11c4eef3ac30b7a10cf8f177fd289ace0cb8bd49bd
            • Instruction Fuzzy Hash: 2C717B79A01626DBCB24CF5AC08017AF3F1BF94705B6A846ED882DB640D775EA91CB90
            Function 03CB035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: 658979fea8a8c4bf489c64df67a9d1024b1d12563a15e889c66eac6aab488478
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: 9F717C75E00619AFCB10DFA9C984EEEBBB8FF88300F154569E505EB250DB34EA45DB90
            Function 03CC62A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f83400c569c50e7396a60a7433fdff80bbe4ce018c326fd29d04f8460807c10
            • Instruction ID: e52b77e4d66bf35b16312950d16c000526c9f9498e08d37282f5a091a2dd50ee
            • Opcode Fuzzy Hash: 7f83400c569c50e7396a60a7433fdff80bbe4ce018c326fd29d04f8460807c10
            • Instruction Fuzzy Hash: 32710E36210B41AFDB21DF14CA44FAAB7B5EF40720F1D492CE656CB2A0DB74EA64DB50
            Function 03C38AA0 Relevance: .2, Instructions: 197COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f27c05b773f56128a06b5d080b78535557bcd69a3e376677fe452ef8f6537f4
            • Instruction ID: efdd69183e5ca98ba0f710f6ed188c0fef42d37e6d26012bb2a827099b6be048
            • Opcode Fuzzy Hash: 2f27c05b773f56128a06b5d080b78535557bcd69a3e376677fe452ef8f6537f4
            • Instruction Fuzzy Hash: 8C81C172A0434A9FDF24CF59C484B6DB7B5BF99324F1A456AE810EF281C7349E40CB90
            Function 03CF7A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b6a2bacfdf4b287f4f49251b39e6dc9a1472017f182804c79cef07d5363a87a
            • Instruction ID: d82212def3655ed857cc0384b3720a6b84ca8943df934e8922559a653aad7316
            • Opcode Fuzzy Hash: 0b6a2bacfdf4b287f4f49251b39e6dc9a1472017f182804c79cef07d5363a87a
            • Instruction Fuzzy Hash: 43513A75A002255FCB54DF69C880ABAF7F6EF88350B194169EE54DF384DE34CA12C7A0
            Function 03C2CF50 Relevance: .2, Instructions: 190COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
            • Instruction ID: f7cf42cfaadf67dc36663a1393e504a33782c0c1020eee6b4144a27b36fc58b7
            • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
            • Instruction Fuzzy Hash: 4E71AB79540B518BD731EF25C944B22BBE4BF903A5F184B2ED8E2CA9E4E330A641DB40
            Function 03CF132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c681e5d6055cd47917bf305b1e8c5e4d89b171489ffc8c12718f1eb64aefb5ed
            • Instruction ID: 8c42b103fd496ddfa548e0b2fae1e74ed72c4b3a39ebee67dd9bd977eed2e264
            • Opcode Fuzzy Hash: c681e5d6055cd47917bf305b1e8c5e4d89b171489ffc8c12718f1eb64aefb5ed
            • Instruction Fuzzy Hash: F7817F75A00245DFCB09CFA9C490AAEBBF1FF88310F1981A9D859EB355D734EA51CB90
            Function 03CFCE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: 9b13aa5ddc45553320d68fb4255997a493950b2324b09ded71dbb9e5a7035fe3
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: DE51353270430A4FC794DE298C5076BFBD6AFC1250F1EC46DEA96CF249DA30DA0A8791
            Function 0040FAF3 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: e96f32ed0f315b5cdf3b9399d6f962689f49e6c642461e4b58ad7070f5251063
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: CC5173B3E14A214BD3188E09CC40631B792EFD8312B5F81BADD199B357CA74E9519A90
            Function 03C6E443 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9a0f6cb3ad7295be4590db7a1824f2f666f8c399c49b42eff4641a80e531eb1
            • Instruction ID: e177d1efad25c379a972b64c11ed9cc046b5d9fdf5468c6c722510cc13bdb38d
            • Opcode Fuzzy Hash: f9a0f6cb3ad7295be4590db7a1824f2f666f8c399c49b42eff4641a80e531eb1
            • Instruction Fuzzy Hash: B9516A79600A49DFCB21EFA5CAC0E6AB3F9FF44684F45056AE942DB260D730EA50DB50
            Function 03CD4180 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c16deef43b7a6d1d15f336f7ca78b29aac4eb6635c1ba40d1e24887d795bca15
            • Instruction ID: f06e4223576867e601a23bb0b304ada3b2919829183c587f55ddf5549e9eb927
            • Opcode Fuzzy Hash: c16deef43b7a6d1d15f336f7ca78b29aac4eb6635c1ba40d1e24887d795bca15
            • Instruction Fuzzy Hash: 875169756083418FC758DF2EC881A6BB7E5BFC8214F85492DF689CB650EB30DA05CB56
            Function 03C545B1 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction ID: 66a05acdbf5a061c59f91ff90815c9a2099c3586ddbf31f6a6d043882ee045bf
            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction Fuzzy Hash: 92518075E00219ABDF19DF95C844BEEB7B5AF45350F05406AE901EB240D734EEC4CBA8
            Function 03CB3A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68750b895841e7d903dcdd53e8ff43bc580fa84f21949d4c4ac7c1dcafa854d0
            • Instruction ID: 522bbe2811db6808b0e3632afd7673d442fe50d1b326c2c80fa16f837e2e37ef
            • Opcode Fuzzy Hash: 68750b895841e7d903dcdd53e8ff43bc580fa84f21949d4c4ac7c1dcafa854d0
            • Instruction Fuzzy Hash: 74518C36E4016D4BEF24CA58D461BEFB3F2EB94310F48081AE855FF3C4CAB66A56D650
            Function 03CAD800 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f872ddf71e4dd1ab9cc15c4d67f178d0531b14b46b07be805c70f152cebad44
            • Instruction ID: 30a1f8d5a72a9a17668d46f03c5f22e9be50ccf4913b6d25265daad55b4d9861
            • Opcode Fuzzy Hash: 8f872ddf71e4dd1ab9cc15c4d67f178d0531b14b46b07be805c70f152cebad44
            • Instruction Fuzzy Hash: DC51E474600B16EBCB14DF6DC4A4ABDB7B4FF45708B094199E942DBA90EB34DA50CB90
            Function 03CBE9E0 Relevance: .2, Instructions: 154COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
            • Instruction ID: aa496e11598262de0e65ccae1d3a0e7ba4ce7bd289fa4f983151d857b927bc85
            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
            • Instruction Fuzzy Hash: 3551C435D01219EFDF20DBB4D894BEEBBB8AF00B24F154669D912EB190DB309E40DB94
            Function 03C2EFD8 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b33c17ccf4f02e372dec26d82a81de48ec40be56e136386379b9f5ae2a607a0
            • Instruction ID: 99d12953bc0c9af0e83a5c6c6a4b8db9e6478ded6aee7c588ff06d1c3b791968
            • Opcode Fuzzy Hash: 2b33c17ccf4f02e372dec26d82a81de48ec40be56e136386379b9f5ae2a607a0
            • Instruction Fuzzy Hash: 2E51B1756083559FC310EF29D884A6BBBF9FF88618F14486DF895CB291D730E905CBA2
            Function 03CF7571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b996057016e8a15077fb9861825fc40c6d4ae8d5ad6bc0be2a148a381c271e11
            • Instruction ID: 1cdc9dea21202d3303a9fda48d17f10be27f9f3d1a75681dfdf86cf2f07f4ce5
            • Opcode Fuzzy Hash: b996057016e8a15077fb9861825fc40c6d4ae8d5ad6bc0be2a148a381c271e11
            • Instruction Fuzzy Hash: A951D732E00115AFCB55EF69D844A7EFBB9FF48390F494169DA11DB254DB70AE11CB80
            Function 03CF8B28 Relevance: .2, Instructions: 152COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6709d4baaf70b248bac3f6806984b4e6864a9a0e784c6a3c96c229782141006d
            • Instruction ID: 37a6eba1f5a0f87eeae548be09e514b981f271ae43184bfb50856da12cfcdcde
            • Opcode Fuzzy Hash: 6709d4baaf70b248bac3f6806984b4e6864a9a0e784c6a3c96c229782141006d
            • Instruction Fuzzy Hash: FE41B0707017109FDAA9DB29CC95B7BF7DAEF80720F098219EA65CF280DB34DA01C691
            Function 03CBCBF0 Relevance: .1, Instructions: 148COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 556b70a8ec948598facc146f6a14da26942a0cfe98a9f014a1acd5477c72655a
            • Instruction ID: df5f57d403b27523235668cdd5d2392ce78312d2c46d3d362cce345ab2c3cb2a
            • Opcode Fuzzy Hash: 556b70a8ec948598facc146f6a14da26942a0cfe98a9f014a1acd5477c72655a
            • Instruction Fuzzy Hash: A3517B7AA00215DFCB20EFA9C980A9EBBBDFF58754F158559D915EB300D770EA01CBA0
            Function 03CB5BF0 Relevance: .1, Instructions: 145COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b6b3ad6aff50a117e7666c929d8a072d0022229b18b58fffa1a3be2416522e84
            • Instruction ID: 55da83f7e8c6fe178472fc5990c61b2270956f243f2335dcd073da1c489f5255
            • Opcode Fuzzy Hash: b6b3ad6aff50a117e7666c929d8a072d0022229b18b58fffa1a3be2416522e84
            • Instruction Fuzzy Hash: FE413F36F40714AFCB25FFB99942AEDBAB19F1A614F02052AE802EF341DA74C9045791
            Function 03C6A430 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 811d81badd9abce25e87cdb0e7e44a70842b51cb84add3069111c3dd7ba5b587
            • Instruction ID: 1bc59af1295359cb2523b5fcebd4746772c472dbd003d498c373efae932c88d3
            • Opcode Fuzzy Hash: 811d81badd9abce25e87cdb0e7e44a70842b51cb84add3069111c3dd7ba5b587
            • Instruction Fuzzy Hash: 6341367A6007019BCB28FF6998E1B2A7774EF65708F4A1028EE02EF341D771DA208750
            Function 03CFA9D3 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
            • Instruction ID: 896e3e6f00b57c65170f345c6a92b30bcf534c48b58a3632ab058ea8461d9712
            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
            • Instruction Fuzzy Hash: 7741E6356147559FC765CF24C984A6AF7A9FF80210B09466EEA5ACF240EB31ED18CF90
            Function 03C601F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4d1b78fb49cd0d4b708b5dc39b6323922fb4dfcad0adff3cc68c5ae174e691c
            • Instruction ID: b4bfcafb7861ca1c765989d7af620dcc4ef8f6be05d8fe1838d777a12c79ed40
            • Opcode Fuzzy Hash: a4d1b78fb49cd0d4b708b5dc39b6323922fb4dfcad0adff3cc68c5ae174e691c
            • Instruction Fuzzy Hash: 4C41B076D05225DBCB14DF98C480AEDF7B4BF88714F19816AE816FB240D735AD42CBA4
            Function 03C5EBFC Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ec917bc6f12884dff7d8ca02bba236b7acfa298f0bfdd714ce041a20d1a96261
            • Instruction ID: 916d5ee4e7092e3e36b70345ae6c3bf6242e912ee64ac9704cee3bf9f35dedc1
            • Opcode Fuzzy Hash: ec917bc6f12884dff7d8ca02bba236b7acfa298f0bfdd714ce041a20d1a96261
            • Instruction Fuzzy Hash: FC41B1726043019FDB24EF35C884A67BBE9FF88214F05486EF956CB611DB31EA849B54
            Function 03C72750 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction ID: 13d85d596556611af388a4b347e4fadf4862ad233baf7f9e2192c11fe9cbff8c
            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction Fuzzy Hash: 09512979A0061A9FCB14CF59C580AAEF7B6FF84714F2981A9D815EB350D730AA41CB90
            Function 03C36154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 78dc211b4afcbb2aca5f84d145dbdfa6a566710a52b204db35211a52925e8983
            • Instruction ID: 94efeb148bf6818c9574c6bd282a08c3a29ba0d9ed82bba251c7d01670cc3372
            • Opcode Fuzzy Hash: 78dc211b4afcbb2aca5f84d145dbdfa6a566710a52b204db35211a52925e8983
            • Instruction Fuzzy Hash: 29511770904256EBDB25DB24CC44BE8BBB5EF12314F0A82E5D465DF2C0D779AA91DF80
            Function 03C30BCD Relevance: .1, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b8bd46b3da2e99b0e6ed37decba2bfad06ea68505fb2a4c06c09598aa486bba
            • Instruction ID: 3627e25b2a1d73cf669627f5fc64cfe72af53ccbfd40b26a0b9be16e5e12ff71
            • Opcode Fuzzy Hash: 5b8bd46b3da2e99b0e6ed37decba2bfad06ea68505fb2a4c06c09598aa486bba
            • Instruction Fuzzy Hash: EA417336A002289FCB21EF69D940BEAB7B8EF45744F0500A6E909EF241D7749F84CF95
            Function 03CF866E Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction ID: 87afa016f92e41f19f020d331f3f1d7ae4d5b37b62db79f05259b4bee6576b2f
            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction Fuzzy Hash: 24419575B00319AFDB55DF99CC85AAFB7BAAF84600F194069E604DB341D674DE01C760
            Function 03CFF0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a7dc4da94b4835bb7e6c61db8abdf58d9d453c03ae8be43680aa41d58fe8c298
            • Instruction ID: b32710921f295c8bf945e48f87f21730e46c30b450a1b65b84ec4f735fca7879
            • Opcode Fuzzy Hash: a7dc4da94b4835bb7e6c61db8abdf58d9d453c03ae8be43680aa41d58fe8c298
            • Instruction Fuzzy Hash: 6A41D0712083418FCB44CF65D8A597ABBE1EB84715F088A5EF995CB382C730D909CB61
            Function 03C30887 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4944a5c0c5c13c1bc5281fee30a823db15a5f22149f3707f6a727681cdcd0b8f
            • Instruction ID: 62696a3c2c5d9ec3c4be0ad5297aa1e1c2f95a904b23f8122b639afe3ef57cc4
            • Opcode Fuzzy Hash: 4944a5c0c5c13c1bc5281fee30a823db15a5f22149f3707f6a727681cdcd0b8f
            • Instruction Fuzzy Hash: 0F41AFB26007119FE324DF29C480A26F7F9FF4A314B148A6DE457CBA50E730E945CB90
            Function 03CDD5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f3d2649951639c8dd54ff417db6bcab3a227c25dd622e811099f2664559da39
            • Instruction ID: d2ad6dc4b2c4cc377741fd0d3d96a575a26a4b07d295a566e14eeaee4f04a661
            • Opcode Fuzzy Hash: 8f3d2649951639c8dd54ff417db6bcab3a227c25dd622e811099f2664559da39
            • Instruction Fuzzy Hash: F8410530E082949FCB14DF29C4996BAFBF1EF49300F098889E6C6CF245C734A556DBA0
            Function 03C5A470 Relevance: .1, Instructions: 127COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f77d00fdb08813027ec586934dd6ea84601d88fffb167a539f568f0f0e0831b
            • Instruction ID: 77d5e4067b9254b79ad463feaaf5d3365dfc0264fc6e63de16f31079680d1d9d
            • Opcode Fuzzy Hash: 2f77d00fdb08813027ec586934dd6ea84601d88fffb167a539f568f0f0e0831b
            • Instruction Fuzzy Hash: 9641F43A900614CFCF22EF6AD450BADB7B0FB64350F590255E811EF391DB309A80CBA8
            Function 03C38BF0 Relevance: .1, Instructions: 124COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b732938603a2c1fd60ad7f8185cbd3e4f3315e7d832785cfd1482fabf07af0ae
            • Instruction ID: 208a28b185caad8f7d6ccfab1509f272ea4283c43a5152d7bab935f68d71b309
            • Opcode Fuzzy Hash: b732938603a2c1fd60ad7f8185cbd3e4f3315e7d832785cfd1482fabf07af0ae
            • Instruction Fuzzy Hash: 13412436900305DFDB24EF5AD880A6ABBF5FBA6704F16812AE801DF355C739D946CB90
            Function 03C28918 Relevance: .1, Instructions: 123COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c6f57b9a9522c9eaaaef9ea2c2456265b8b788176d2288b0ef51ee9263866197
            • Instruction ID: a7ce1c0adbf05c58e7c15c21d871bc464348a0642425ea5d2c1696b22688fda6
            • Opcode Fuzzy Hash: c6f57b9a9522c9eaaaef9ea2c2456265b8b788176d2288b0ef51ee9263866197
            • Instruction Fuzzy Hash: 33417F365083169ED311EF66C840A6BF7E9EF88B54F41092AF980DB250E730DE458BA3
            Function 03C2A020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 01f51b06ce5402694c02a7119b4770a2731e69c35503e8d571ba23dd3f8231d2
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: A8412E3DA00321EFDB20EF9588507BAFB72EB50759F1A806AE946DF240DA359F40D790
            Function 03C309AD Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 609d7a6789c43f2d60f7e23a06821cc166316f21e4cd3b5616fcf5be29756094
            • Instruction ID: 10fe56150c777f8d68a16ab22551b91eac6bc25c68deacbaf00bc463ae1e072e
            • Opcode Fuzzy Hash: 609d7a6789c43f2d60f7e23a06821cc166316f21e4cd3b5616fcf5be29756094
            • Instruction Fuzzy Hash: 85417972A00710EFD320DF19D840B26BBE4FF49714F25896AE44ACF250E770EA42CB90
            Function 03C60710 Relevance: .1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction ID: 65ed7ba5375eed8e0018d3f6f777fe57bf6e77fa3621d5002ec76568157f58be
            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction Fuzzy Hash: 8541F475A04715EFDB24CF99C9C0AAAB7F8FF18700B10496DE556EB690E730AA44CF90
            Function 03C3262C Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c3783dec1caa78d47add97902abd8bf63b6cabd3c395946101bd2b9e3ca45b3
            • Instruction ID: 96528d9d843d8e94280d96a026cc495179c783439d5b13e90143cb11ed9380e2
            • Opcode Fuzzy Hash: 4c3783dec1caa78d47add97902abd8bf63b6cabd3c395946101bd2b9e3ca45b3
            • Instruction Fuzzy Hash: D541FD75901714CFCB21EF28D940B29B7B6FF4A314F158AA9C816DF2A0EB30EA40DB51
            Function 03C6C8F9 Relevance: .1, Instructions: 116COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6d941a91dd689aa4e59877eb61dbd5eb9b710e7a8111c4fc43536454512d3959
            • Instruction ID: fb3a2324b94d9a9eb360f888620490ffa6e5d5b5749f8b451c8c4d94cbe15452
            • Opcode Fuzzy Hash: 6d941a91dd689aa4e59877eb61dbd5eb9b710e7a8111c4fc43536454512d3959
            • Instruction Fuzzy Hash: 123179B1A00745DFDB11DFA8C440799BBF4FB09718F2585AAD119EF291D3369A02CF90
            Function 03CFEEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fb783a149c921739dc356aa419da00a65c6d2f256df1ee7fb51bca8fe0d92a54
            • Instruction ID: 231880429d03aa475de78d7623b696f98746a65eea38531e695cd37d17a3b4b7
            • Opcode Fuzzy Hash: fb783a149c921739dc356aa419da00a65c6d2f256df1ee7fb51bca8fe0d92a54
            • Instruction Fuzzy Hash: 24418133E0412A9BCB18DF68D49197AF3F5FB5830475642BDD905EB294DB34AE05CB90
            Function 03CFFA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca6ba3532587de5736e35cf5566941017a4cb3dabe8a5dcab26c6d7b6e9cc336
            • Instruction ID: 8dac6174b8f61bed443cf8367138d37b2aa0c11c422f9c6b223ab636be82cc21
            • Opcode Fuzzy Hash: ca6ba3532587de5736e35cf5566941017a4cb3dabe8a5dcab26c6d7b6e9cc336
            • Instruction Fuzzy Hash: AB314B367101069FC758CF29CC44AA7BBA9EF84B50F09867CEA18CF284EB74D945C794
            Function 03CB05A7 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6be0cfb43c62ea792a24569183fdf6af05eca32d851ab155e1e2f0942049f6a4
            • Instruction ID: e336ca7a477239284e44778a445962ef44c6550ed9cb8b624be50e6f26db922c
            • Opcode Fuzzy Hash: 6be0cfb43c62ea792a24569183fdf6af05eca32d851ab155e1e2f0942049f6a4
            • Instruction Fuzzy Hash: B541A0766047519FC320DF68D850AABB7B9FFC8700F094629F895DB690E730E914C7A6
            Function 03C34859 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0526899b0738c185d2eee1f4761ab92114554302edddbdbe8e7f9f01f3bed094
            • Instruction ID: e6b212da41463d8fc1ea76e8d1bdc782a6cd75b4e53e726d5f520322b061c8a0
            • Opcode Fuzzy Hash: 0526899b0738c185d2eee1f4761ab92114554302edddbdbe8e7f9f01f3bed094
            • Instruction Fuzzy Hash: 7A41D3312083018FC729DF2AD884B2ABBEDEF82350F19446DE955CF290DB70DA11CB91
            Function 03CFFB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 119d64f1d8ec82b7b5f0acbf4da27c73331bc3e4f51e8749aa907d2b0785d03c
            • Instruction ID: 3b03c5ceab29e69d16c6e6825d38c5dd841d5cc45dec0d2a1d40598bcfe587c9
            • Opcode Fuzzy Hash: 119d64f1d8ec82b7b5f0acbf4da27c73331bc3e4f51e8749aa907d2b0785d03c
            • Instruction Fuzzy Hash: EA31D236A10215AFD764DF29CC44AABBBE9EF98350F458568FA08CF244DA74E901D7A0
            Function 0040DD93 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: ad5efac96acdc666eb0fbdbf29580ce3d4644abfd8fba1576343d3d8f6d57d5a
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: FD3193516586F10DD30E436D08BD675AFC18E5720174EC2FEDADA6F2F3C0888408D3A5
            Function 03C402E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: 69723517445f16f383a74be2c1615d633c7495c5cdbc174c30fe51ec29b1bee2
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: 7E312132A04254AFDB21DB69CC84B9AFFE8FF05350F0985A6E855DB352D2749984CBA0
            Function 03C34260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2c32a7dbad0d2af9421becf8cd0dde14fb2e9790ef2396a062ccd9dadac5f521
            • Instruction ID: 56a47383afe6274590ff3051e7245196c935a147bb33679fe4e9934f9ba9f9bc
            • Opcode Fuzzy Hash: 2c32a7dbad0d2af9421becf8cd0dde14fb2e9790ef2396a062ccd9dadac5f521
            • Instruction Fuzzy Hash: 2741CE35200B45DFDB26CF25C984FD6BBE9AB46714F06842AE999CF250C774F900CB90
            Function 03CAEB1D Relevance: .1, Instructions: 100COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e483b4f226f3e71d50c2a407082ae5a77cadbf7b99a41f28796c27c4ff0b387
            • Instruction ID: 526bad73f485a910ce212ff6f6cd39e9c4a38a07c63e9a9f567ad994f3ed10d4
            • Opcode Fuzzy Hash: 2e483b4f226f3e71d50c2a407082ae5a77cadbf7b99a41f28796c27c4ff0b387
            • Instruction Fuzzy Hash: 3C31D475242BC29BE322D7BDD94CB55B7D8AB40748F1E00A0A945DF6D2DB28D940C2A8
            Function 03CF61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a84df49c298d46af2af758528a3aeb99fba9d2d084c8cdc92915738f3fb6528
            • Instruction ID: 41592f9031f270a6bcd242a1449552cfd13616ee1053ca0dc2756759de82aba0
            • Opcode Fuzzy Hash: 2a84df49c298d46af2af758528a3aeb99fba9d2d084c8cdc92915738f3fb6528
            • Instruction Fuzzy Hash: 7B31AF7AA00259EFDB15DFA8C880BAEB7B9FB44B40F454169E900EF244D774ED50CBA4
            Function 03CF6BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e88ad1fc46d50626941b12bc3602d0de7d2cdc45f4de30cba7fe36df23be8e9
            • Instruction ID: e63278e9fb7ca8943c2ca01be0baa6bf6ee5468240a962fff4ef1ea67e08e49f
            • Opcode Fuzzy Hash: 1e88ad1fc46d50626941b12bc3602d0de7d2cdc45f4de30cba7fe36df23be8e9
            • Instruction Fuzzy Hash: 6D316D32A002049FCB64DF3AD8C5A5B7BF4FF59340F858469E908DF249D270E955CBA4
            Function 03C5EB20 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd2fea5b25f7fe57f223db9787023a15f6cce19ba7c4816cca6f740584683621
            • Instruction ID: 4a9f3d8cec49630ec86e330795e03feb4178c25bb56d2323018b51c005f5d4d0
            • Opcode Fuzzy Hash: bd2fea5b25f7fe57f223db9787023a15f6cce19ba7c4816cca6f740584683621
            • Instruction Fuzzy Hash: 7031C176E01218AFDB31DEB9C840AEEB7B9EF04750F024466F816EB250D6709B409B98
            Function 03CD483A Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3eb5f4df54a919d7cddcaa9ee61e725714747312ba55e773a89c8210fe82d5be
            • Instruction ID: 93d58cfa174d3d57288e8b1a6a965c860314b4db7bd222b412bfea4eefac9a89
            • Opcode Fuzzy Hash: 3eb5f4df54a919d7cddcaa9ee61e725714747312ba55e773a89c8210fe82d5be
            • Instruction Fuzzy Hash: 3A318536A4022CABCF21DF55DC84BDEB7B9AB98350F1500E5BA09E7250CA30DE919F90
            Function 03CF60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eecdfb3b06cf4a1321aed53c5f24e0b434d6ccb6d79ee886a6aaee5c01fd3e5a
            • Instruction ID: 13f19d8c4a546029ef02adba4c1623571a1b64b6510021f3d264fc3299a611f1
            • Opcode Fuzzy Hash: eecdfb3b06cf4a1321aed53c5f24e0b434d6ccb6d79ee886a6aaee5c01fd3e5a
            • Instruction Fuzzy Hash: 33312136B00315AFCB22EFA9CC50B6EBBB9AF44314F0180A9E641DF351DA31DD009B90
            Function 03C307AF Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b3d76755dbc9f7e92dc1254176536a83a337f55f7a88c515396c29b0dbabc789
            • Instruction ID: cfb8bb9d6942e45a222ea860ac5736488d293a5bff23c13a1c62c9a2ef47b1c1
            • Opcode Fuzzy Hash: b3d76755dbc9f7e92dc1254176536a83a337f55f7a88c515396c29b0dbabc789
            • Instruction Fuzzy Hash: 4031E337A04721DBC711EE288880E6BBBA5EF96664F064569FC56EB310DA30DC0197E2
            Function 03C38550 Relevance: .1, Instructions: 94COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 42f5f77e2f2fe76777421c8a001c9fe388c8b6ce49fc83a764cae6ec0d3fd5d4
            • Instruction ID: b74191d2cd5b8ad9b45b3ef33ef7629c502d497755abfa6541c10850c46fc382
            • Opcode Fuzzy Hash: 42f5f77e2f2fe76777421c8a001c9fe388c8b6ce49fc83a764cae6ec0d3fd5d4
            • Instruction Fuzzy Hash: F1316B716093019FE721DF19C844B2AF7E4EF88B10F0A496EF885DB251D775E948CB91
            Function 0042E753 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b5814d064d4584e57949ac4e424009547a8ce8754207bdea76a7619833e973
            • Instruction ID: 1f81b5ca64f14bf3114a14aa627a09f9304f0c47b2e7989595ba948eee6176e0
            • Opcode Fuzzy Hash: 73b5814d064d4584e57949ac4e424009547a8ce8754207bdea76a7619833e973
            • Instruction Fuzzy Hash: 2F31E376B106265BD354CE3AD880656F7E5FBC8320B54863ACA18C3B40E778F962CBD4
            Function 03C5AF69 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd7faafbc50f8c61a15b007aa3be4015ee8cb9fdc8963ce3ab98a67bf7efaa21
            • Instruction ID: d1109977b629fe3e33c72f1130714dfd0a0ce216f0dd03d5574d1e1aad67b4cc
            • Opcode Fuzzy Hash: fd7faafbc50f8c61a15b007aa3be4015ee8cb9fdc8963ce3ab98a67bf7efaa21
            • Instruction Fuzzy Hash: 79316676A012689BDB21DF55CC48FAFBBB8EF84740F0501A6FC09E7250D6349E81CB95
            Function 00402E30 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474613144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ae500f42ba5f9438064eec4ae65a2e4d40547eab4061976e48cd53afad81f06a
            • Instruction ID: f5afe6c20085d96978fb0c3b1fe758d6c0b5adc01e0f1296b61163d80a6f941c
            • Opcode Fuzzy Hash: ae500f42ba5f9438064eec4ae65a2e4d40547eab4061976e48cd53afad81f06a
            • Instruction Fuzzy Hash: AB31A272A10A104FD3A8CF6EC985653B7D1AB88310B45C62EE85ED7781D678ED01CBC4
            Function 03C6A6C7 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction ID: a19e44a1327f73014756e4ed085d66f965287a6c8c067a10ad3c3d8c4e157aac
            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction Fuzzy Hash: 6D314DB6B00B01AFD764CF6ADD81B57B7F8BF08B50F08092DA59AD7650E630E900CB64
            Function 03CDEBD0 Relevance: .1, Instructions: 91COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7070b21615f293d6a8076879cc3d095ef4127e92606ae2560e7e2f7ea9c782ce
            • Instruction ID: be4e87470d4f2edefcfc3487c06717d73cf315df694c176e9c8510734cad595f
            • Opcode Fuzzy Hash: 7070b21615f293d6a8076879cc3d095ef4127e92606ae2560e7e2f7ea9c782ce
            • Instruction Fuzzy Hash: 223165B5505351CFCB10EF29C54095ABBE5FB99218F0949AEF588DF251D330DA05CB92
            Function 03C5438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc1a78121d046d775fe5d8fc4f9053e1e255887b32dba96d1815912bc340bc7b
            • Instruction ID: e6a48462c2b19f32d059d3a07f6289ad16991f1b7df53a2b1e72af313b2c87e7
            • Opcode Fuzzy Hash: dc1a78121d046d775fe5d8fc4f9053e1e255887b32dba96d1815912bc340bc7b
            • Instruction Fuzzy Hash: 2931C432B003459FDB28EFAAC984A6FB7F9AB84305F01852AE845D7254D730EDC5CB54
            Function 03C2CB7E Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
            • Instruction ID: a44c834125ff72744d733b008efc711f83fbe2178c0cd0511c2c8e05f7052f67
            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
            • Instruction Fuzzy Hash: 9A21FD3AE406566AC711DBB5C841BAFFB75AF44740F068036AD55EB340E630DA408790
            Function 03CEC3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: 334011cde96643fa32c48cf66fef4eaec6596ce98c8ba4a1cf5b63655bc36fba
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: A9212B3F600755A6CB24EBA58840ABAF7B4EF50710F41C01AFDA6CB691E634D950D360
            Function 03C2C156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 808d2a24da55097e6c1f5b374d6b44d8f2528515d2032048f05b77cd75459b25
            • Instruction ID: ca552e4c9ca1c6eb65cb76c47bc19ef70689b81b2040f6db1451255fff0d5777
            • Opcode Fuzzy Hash: 808d2a24da55097e6c1f5b374d6b44d8f2528515d2032048f05b77cd75459b25
            • Instruction Fuzzy Hash: 6131E8755003109BC730FF14C845BA9B7B4EF41318F5985A9D946DF385DA74DA85CBA0
            Function 03C2E420 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9218d01a0b3d4e70f0bfd9038d92f4231f01dc286f4726a63664d0a2e0d65484
            • Instruction ID: c750406b2e9b68a9076da51aaf7ce2e82dd1a5230474519ef7fed68289f7d08f
            • Opcode Fuzzy Hash: 9218d01a0b3d4e70f0bfd9038d92f4231f01dc286f4726a63664d0a2e0d65484
            • Instruction Fuzzy Hash: 5A31D636A0022C9BDB31EF64CC41FEEBBB9EB05740F0501A1E545FB290D6749E809F90
            Function 03C64588 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction ID: e1d6e50f0ac4785749ac45d23b0026a92f41432dd699392751e142c745802e8e
            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction Fuzzy Hash: F4216D36A00608ABCB19CF9AC9C0A8ABBB5FF48714F118069ED15DF241D671EA458B90
            Function 03C644B0 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2003c32d4908fe01be42df2431e9ad962380904efb75938b73faaf5302b2f984
            • Instruction ID: b740bffcd74d81a5c9abf4a39b3d3bb83db5b8d52016fa363028dc0d117bb508
            • Opcode Fuzzy Hash: 2003c32d4908fe01be42df2431e9ad962380904efb75938b73faaf5302b2f984
            • Instruction Fuzzy Hash: EC21C1766047459BCB26EF5AC890B6BB7E4FB88760F054619FC54DF240DB30EA01DBA2
            Function 03D003E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 78084e64bd516aca7650be8432384c471c06043c5b32438f98330f784f3c9979
            • Instruction ID: d602b49524a433b672669e6ed90ee64108dcaa31398c45c42b4241a855f82967
            • Opcode Fuzzy Hash: 78084e64bd516aca7650be8432384c471c06043c5b32438f98330f784f3c9979
            • Instruction Fuzzy Hash: 3C316F72A00119BFCB18DBA5D894F9FBBB9FB88604F414169E905E7240DB30AE04CBA4
            Function 03C2E388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: d94e3241f14df824b99195e5a06dc60c619ac49e5fb7e3408dc31b5287d78757
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: 7431A935600654EFDB21DFA9C884F6ABBF8EF84354F1545A9E552DB290EB30EE02CB50
            Function 03CAE609 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32e1360fe9bcb43cb04e30bb310682eb130285b7dce669081da6e533613295bd
            • Instruction ID: d64bf5d7dfd3e84e340ee56485ac3c9cc53b63125e4356b676da0b02489d0ab0
            • Opcode Fuzzy Hash: 32e1360fe9bcb43cb04e30bb310682eb130285b7dce669081da6e533613295bd
            • Instruction Fuzzy Hash: E2319F75A0060ADFCB14DF2CC884DAEB7B6FF84308B154959E809DB390E771EA41CB94
            Function 03D00591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4bfceeb4f380ca53bf5050c500052aaa58525543d78636be35501cbda3a1528a
            • Instruction ID: 1edd8c6adf7fbd78d9672c17e4ca0fa5ec13917af8e25ef80a33223c8634e383
            • Opcode Fuzzy Hash: 4bfceeb4f380ca53bf5050c500052aaa58525543d78636be35501cbda3a1528a
            • Instruction Fuzzy Hash: E821F1326002059FD728CE29C884BBAB3A6EFD4B00F998478ED45CB2C5DB30F845CB90
            Function 03CB06F1 Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 15fe22c4be1af1df33c71f673afd3974a7749117fae023c999d5ed66929e9545
            • Instruction ID: d7283b03f35e924db2df2c6e24135d421fbaf87d967c32e58724f6b9ea097bd5
            • Opcode Fuzzy Hash: 15fe22c4be1af1df33c71f673afd3974a7749117fae023c999d5ed66929e9545
            • Instruction Fuzzy Hash: 70216D759002299BCB14DF59C881ABEB7F4FF48740F550069E941FB240D778AD52DBA0
            Function 03CB019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9744420570fce007874bcda90de243c8342e87d9105de1592d7264e6eec7ffc3
            • Instruction ID: c8578b5c295a74410eb680d76ddedd4b50a501c69545903d37b65a6312dd23d8
            • Opcode Fuzzy Hash: 9744420570fce007874bcda90de243c8342e87d9105de1592d7264e6eec7ffc3
            • Instruction Fuzzy Hash: BF21DE75600654AFC715DB68C840F6AB7B8FF88740F140069F944DB7A0D738ED10CBA8
            Function 03CB0283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e6482c83a5375706eece5e1d2e47599cdc49c405468767ec440393c90a1c442e
            • Instruction ID: 3b14ed062cd254d373e38a403371b65222d070d7e71b8cb56929cc2b975137b5
            • Opcode Fuzzy Hash: e6482c83a5375706eece5e1d2e47599cdc49c405468767ec440393c90a1c442e
            • Instruction Fuzzy Hash: 7E21B0729043959BC711EFAAC848BABF7ECBF81240F094556BC90CB251D734DA48C6A2
            Function 03C52835 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2688eef7d669b38c4f0cf6f95ae4022c0df8f3a8b54c131ddd978b5ca498c6e7
            • Instruction ID: 1d9d41c0af9d50c2f1b7d03adbbdd1c24ff61b1aacfb2eafeed2a84b388b2a64
            • Opcode Fuzzy Hash: 2688eef7d669b38c4f0cf6f95ae4022c0df8f3a8b54c131ddd978b5ca498c6e7
            • Instruction Fuzzy Hash: 7821F63B705780ABE722D7A88C08B2577D4AF41774F2E07A1FD60DF6E2DB68C9418248
            Function 03D001AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c026277872cc5e0963f605c228b607be8d88f840ed5543f7cdc629beb2de6ff
            • Instruction ID: a1c996ebf0ed2adea8d9f8302c7b6fd04acadb1d4cad8cc842706384d237f455
            • Opcode Fuzzy Hash: 7c026277872cc5e0963f605c228b607be8d88f840ed5543f7cdc629beb2de6ff
            • Instruction Fuzzy Hash: A1210A712041905FDB45CB6A88F45B6BFE6EFC6215B0D82E6D984CB342C134D907C7A0
            Function 03C6A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 89bf6f1ecdc4212d89704b192355920728476dbc43691453b374e4ba4c73497a
            • Instruction ID: 27f5c82a5565e25999382ea02ce03eb21b1b659c17bf4b97bf2483c41d70d944
            • Opcode Fuzzy Hash: 89bf6f1ecdc4212d89704b192355920728476dbc43691453b374e4ba4c73497a
            • Instruction Fuzzy Hash: 4521AC79200B519FC724EF29C840B46B7F5AF98748F1884A8A909CB761E331E952CB94
            Function 03CB0946 Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c4ac9b18ae5fbf69d91da4ff2a4638581696d334ad1f07fe177908302628c309
            • Instruction ID: 4a2e446868b3c4265d652c167a394d0d52678c080ceddee46075dd6bd80b4283
            • Opcode Fuzzy Hash: c4ac9b18ae5fbf69d91da4ff2a4638581696d334ad1f07fe177908302628c309
            • Instruction Fuzzy Hash: 8721E7B5E00318ABCB14DFAAD9809AEFBF9FF98600F14012AE415EB250D7749941CB60
            Function 03CC80A8 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
            • Instruction ID: 2aebb0b993bed23d9643834af7d72006999928796a2dde457193570ed4920502
            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
            • Instruction Fuzzy Hash: 41216A76A00249AFDB12DF98CC40BAFBBF9EF88350F214459F901EB250D735DA509B50
            Function 03CFEE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b626cd1ebd66efe2a1d26ed84b0573245269cba7ffd092eba36f048cde0aaa41
            • Instruction ID: b42c0aaecd9f2253f29cbe90bc64f7fa5d9f73646468e13c0eddc4bf6e898cbb
            • Opcode Fuzzy Hash: b626cd1ebd66efe2a1d26ed84b0573245269cba7ffd092eba36f048cde0aaa41
            • Instruction Fuzzy Hash: B621B433A104119F9B18CF3DD804466F7F6EFDC31436A427AD912DB268D770BD118A84
            Function 03C60124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: 79f3aaedb7a8b465795239431ecbc90d82aac5a3843aa8395792b261d8fb5681
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: C311EF76604714BFD722DF85CC80FAABBB8EB80754F150029EA01EF180D676EE44DB60
            Function 03C38770 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e51d3cc6a95cbc97f25b591a414704ff124dfc185160a38a2752dfef3afbfd8
            • Instruction ID: 8cb1c64f987e00113935c51753b20611786dd810b9ca04f982739bc253d2492e
            • Opcode Fuzzy Hash: 0e51d3cc6a95cbc97f25b591a414704ff124dfc185160a38a2752dfef3afbfd8
            • Instruction Fuzzy Hash: 99119D366007209BCB11CF59C480A6AF7EAAF4B750B198069FD08DF205D6B2EA0587A0
            Function 03C6AAEE Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
            • Instruction ID: 60e7b20ee17ab44bcc42502d6fd8cf5e590ea7ad52c0ecb0b37a019d4a2e5c52
            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
            • Instruction Fuzzy Hash: E32179BA610A41DFC721DF4AC580A66F7E6EBC4B50F19807DE84AEB610CB30ED01DB90
            Function 03CD4F42 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
            • Instruction ID: ad2f8080da0d940114d2e2e96b4a9692d68e638676549b4f6efa35512bf1f224
            • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
            • Instruction Fuzzy Hash: 25213EB5E00219AFCB05CF99C8809AEFBB9EF58344F5540A9E905EB351DA719E41CBA0
            Function 03C380E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 30dcca66137ef2276ed95199b2e6707e49d37b17252db808dc964d1e8b2b7be8
            • Instruction ID: 84826ca0f325f18bf7fd52bfbd9749b84de35f61435ddb4f8250a0f006d6b03b
            • Opcode Fuzzy Hash: 30dcca66137ef2276ed95199b2e6707e49d37b17252db808dc964d1e8b2b7be8
            • Instruction Fuzzy Hash: A0215E75A00205DFCB14CF99C581AAEBBB5FB89314F24416DE105EB350C772AE0ACBD0
            Function 03C6674D Relevance: .1, Instructions: 65COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 148937d03ba7c441f10769c27e4fda6e5432889d6a4c8982593179ba9f6183ae
            • Instruction ID: 845c494c502a3506b526fce0f5a4d5dc361e75d4b006c9b5069de135b4ec27fe
            • Opcode Fuzzy Hash: 148937d03ba7c441f10769c27e4fda6e5432889d6a4c8982593179ba9f6183ae
            • Instruction Fuzzy Hash: 69215675611B00EFC720DF69C881B66B3F8FF84250F44882DE5AACB650DA70AD60DBA0
            Function 03C5E8C0 Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 03f842aa3acf97d3bab3288d2fe7cacfe3e68ce5acc1c03a2686d176088cb376
            • Instruction ID: 60c1150fa07e218dde3d21fb85910f4103539e5458085534f1a4f831042ea2aa
            • Opcode Fuzzy Hash: 03f842aa3acf97d3bab3288d2fe7cacfe3e68ce5acc1c03a2686d176088cb376
            • Instruction Fuzzy Hash: 75114C373002145BCF19DB25CC85AAB725ADBD5374B29853DE912CF340DB31C941C294
            Function 03CC6870 Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40001b0ea96dcb87d05231040fffb27f9198631cee8aec9ec7894a9ba248ba8b
            • Instruction ID: 214fd654ff103d550314335f5c7e08ec5b6c43a68f9f1ba9b5d3311088c88e81
            • Opcode Fuzzy Hash: 40001b0ea96dcb87d05231040fffb27f9198631cee8aec9ec7894a9ba248ba8b
            • Instruction Fuzzy Hash: E011E336250684EFC722DB59CE40F5AF7A8EF99760F094068F645DF250DA71E912C7A0
            Function 03C666B0 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32755500ce7151faa8850d394bd09d3b4547de4b35fd8aad6018725e3309bbe7
            • Instruction ID: 7b6e3cd28f0ba25faa3acc23b8e4be216cb1aa7f326c0eafae0b4d01cd0efe48
            • Opcode Fuzzy Hash: 32755500ce7151faa8850d394bd09d3b4547de4b35fd8aad6018725e3309bbe7
            • Instruction Fuzzy Hash: 6F11CE76A01344EFCB24DF59D5C0A5ABBE8EF94650F1A8079E905DF310DA70DE10CBA0
            Function 03C30AD0 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
            • Instruction ID: 18cf54dc203c4da76df7f5490ea97d7eaf7248fee61903a0204a5ce2f6567d10
            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
            • Instruction Fuzzy Hash: 102106B5A00B059FD3A0CF29C440B52BBF4FB48B10F10492EE88ACBB40E771E814CB94
            Function 03CFA8E4 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
            • Instruction ID: b59abd1b0c18561658820a268b63dd8a7862b987ffa63e3222d33a6b9fdb688f
            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
            • Instruction Fuzzy Hash: B5110436A00A05AFCB19CB54CC05B9DF7F5EF84310F098269E846DB340E631EE11CB80
            Function 03CBE7E1 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
            • Instruction ID: 13801510db0f1f0c7dc890756a10c7d19eb477ecc08d12019e762a60c7a1ad58
            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
            • Instruction Fuzzy Hash: 6A113D36A00A00EFD721DA69D840BD6B6F6EB45B54F098428E949DF160D772DD40D7D0
            Function 03C527ED Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 914b6323b2efa39914e25e9993f52a19d517a3f8de8c3e0d3f59ceec9a00deac
            • Instruction ID: 216285a4be265a4151c83fff3c8e58c0bd757b409737cee5fba9f7763617fca9
            • Opcode Fuzzy Hash: 914b6323b2efa39914e25e9993f52a19d517a3f8de8c3e0d3f59ceec9a00deac
            • Instruction Fuzzy Hash: 3D01043B605684ABE316E2AA9888F27B6DCEF80354F0A0465F800CF641DA14DC00C2A5
            Function 03C34690 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 01afa505e28cd14948947aa6840df5776a4f49f4f9ec82641f0da71e55f4fb20
            • Instruction ID: f8b6084924b56ee8d7609ecbc636c3716a98a344a08e3090609cf79bae5b3686
            • Opcode Fuzzy Hash: 01afa505e28cd14948947aa6840df5776a4f49f4f9ec82641f0da71e55f4fb20
            • Instruction Fuzzy Hash: 7611AC3A240744AFCB29CF5BD944F56BBA8EB87B65F094129F814CB290C770E940CFA0
            Function 03C66620 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff6f645621d250429901080fa664ef9ac12e00f96d4a3c2267f48f95efd7be33
            • Instruction ID: e6662d27676f65cdc559cda05f0d0d5f4858f5d6df78709724b84abd465faf1c
            • Opcode Fuzzy Hash: ff6f645621d250429901080fa664ef9ac12e00f96d4a3c2267f48f95efd7be33
            • Instruction Fuzzy Hash: 1011E17AA00715ABCB22EF69E9C0B5EF7B8EF84740F550058E901EB200D730EE119BA0
            Function 03C5EA2E Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b519195405266fc1efc34027a301ac0c853d9ee7cc7c07e28a5b7499abde96b1
            • Instruction ID: 885a974aa654cffe98b3e25651b1a25e086a997f681643177d2b03dd5a9d539d
            • Opcode Fuzzy Hash: b519195405266fc1efc34027a301ac0c853d9ee7cc7c07e28a5b7499abde96b1
            • Instruction Fuzzy Hash: 9501C0765002089FC324DF24E404F66FBEAEB96318F2581AAF404CB361D770AD86DB94
            Function 03C5E53E Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction ID: 3158ae72fbcf99ac817c5cfbb6f16d3895374a002c46d9d2393aa4107db26d6b
            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction Fuzzy Hash: 211148362056C19BFB22EB39C848B6477D8EB40B45F1F00E6ED40CF642E728CA82C214
            Function 03CBE75D Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
            • Instruction ID: dee22c9ca63eb0b0575d4b27dfbdc899b8215db0214e650d98c39a470cf34583
            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
            • Instruction Fuzzy Hash: D301CC36600204AFD721DB65E800BDABBB9EB82F50F0A8024E905EF260E775DE40DB90
            Function 03C2A250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: 12d3bba0c3323fe33c34916dca6f41ee620892b90c576c09fb6824eb1a21bf24
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: 1B01C475505721ABCB20CF159840A26BFA9EB45760705896DFC99CF680DB35E520DB60
            Function 03C36259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d0ecdaad664d8ff89e5926c856896195afe6d87bc18b8b5a58e1d7f565c06378
            • Instruction ID: 81856130d4f43588c913eb7038bbca9c8ca3bdd32b3c4722dd8931433d9c472a
            • Opcode Fuzzy Hash: d0ecdaad664d8ff89e5926c856896195afe6d87bc18b8b5a58e1d7f565c06378
            • Instruction Fuzzy Hash: 5C11AC75601328ABDB25EB24CC82FE8B378EF04710F5145D4A729EA0E0DB70AE91DF84
            Function 03CAE1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 279cf10a722991f2c3d68975938505885a14797f4699a1776130811fe816502a
            • Instruction ID: 98b7fe9720cd3cea54cce483054075de9900f355f4205f5983535a0e25612986
            • Opcode Fuzzy Hash: 279cf10a722991f2c3d68975938505885a14797f4699a1776130811fe816502a
            • Instruction Fuzzy Hash: EA117936641740EFCB15EF29C980F56BBB8FF48B88F2500A5E905DF6A2C235ED01DA90
            Function 03C3208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: 0e3e33b9c58b64cf344593abda0f1ef420995afa2fc3a8f9efe2aacf16f29114
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: 5C0128322002108BDF10EA19D880BA6B76AFFC5700F1948A9ED01CF245DA71D981C790
            Function 03CB6050 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c29aa06828819b8a632bb2e0bbd819583fb8141832191ff2080dcf94706d3379
            • Instruction ID: 6d0b0884ced56b898a1fb7a52e9f715afbf03c75a1fb2b6cbadf15a433b3b51c
            • Opcode Fuzzy Hash: c29aa06828819b8a632bb2e0bbd819583fb8141832191ff2080dcf94706d3379
            • Instruction Fuzzy Hash: BA112977900119ABCB11DBD5DC84DEFBB7CEF48258F054166E906E7210EA34EA15CBE0
            Function 03CC6500 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 905a001b6af4512a6b9ac1779b13a4976cb0c48de06ef9994a19a3dbd31136c5
            • Instruction ID: aef69323619880fdfa07989289510e2c65cc9434f0fd1be63fcc55a8bbeada68
            • Opcode Fuzzy Hash: 905a001b6af4512a6b9ac1779b13a4976cb0c48de06ef9994a19a3dbd31136c5
            • Instruction Fuzzy Hash: 8311A1366541869FC710DF59D900BA6F7B9FB5A314F1C8159E848CF316D732E981CBA0
            Function 03CBC810 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 67dc10c540e4c69ab50188c11919129c1918ddef2bd5dbf74bddb179e4385c6c
            • Instruction ID: cbf0ca47e642bf8a025fee25ad82fb12bff634ead179262a6a78ae7d6a28645a
            • Opcode Fuzzy Hash: 67dc10c540e4c69ab50188c11919129c1918ddef2bd5dbf74bddb179e4385c6c
            • Instruction Fuzzy Hash: 051118B5E002499BCB04DFA9D541AAEBBF8FF58240F10806AA905EB351D674EA018BA4
            Function 03C720F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7ad1ffe8fa98f707b3ec4cc401a234f4a422d2a36de740bad065b07e23b35998
            • Instruction ID: ce5cbd2998507796487dc0ada1acb510b6b50e439d050d7d25cbbb0b8fa4f379
            • Opcode Fuzzy Hash: 7ad1ffe8fa98f707b3ec4cc401a234f4a422d2a36de740bad065b07e23b35998
            • Instruction Fuzzy Hash: 62116D35A0020DEBDB05EFA5C850EAE7BB9FB44244F004059ED12DB250D635EE11DB90
            Function 03C2C020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: 8b5f628d5636348085379f4fde6ed7611b9c8f9cdf63ff8f3b6a8ee6ecd98554
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 5F01F5321007449FDB22F766D804EABB7E9FFC4654F09881AA947CF580DA70E641CB60
            Function 03C6E5CF Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f2e7f3f70ad11b2ba04c5f301796de01b83f3f74c62572e7d022414dadc5ee6
            • Instruction ID: 68cdfb7b6aafc2744a8b75564cdc2a326cea27f354393ebf4d998647b7f938ee
            • Opcode Fuzzy Hash: 1f2e7f3f70ad11b2ba04c5f301796de01b83f3f74c62572e7d022414dadc5ee6
            • Instruction Fuzzy Hash: 3101DF75201B54BFC211FB39CD81E17BBACEB846A4B010A26B504CB651DB34EC11D6A0
            Function 03CC69C0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8ae46367e5162fb892fe6747b1d66ba29912aa67edb389d178d4037b2ac175a9
            • Instruction ID: d8036c89d785b61893e1d63baf7eef26b4b667e41644e86870dcf1aa29cfc150
            • Opcode Fuzzy Hash: 8ae46367e5162fb892fe6747b1d66ba29912aa67edb389d178d4037b2ac175a9
            • Instruction Fuzzy Hash: 4F01FC36334341DBC324DF69C948967F7A8EF84660F15412DE859CB280E7309911C7D1
            Function 03CBC460 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 11ff8dfd89b7215d7660d00e0746416863e56d5590f563b731c1f64553df8413
            • Instruction ID: df5e679804e1a2aa865bef32257f31efb246bb64498fde7634a156ea70687eb0
            • Opcode Fuzzy Hash: 11ff8dfd89b7215d7660d00e0746416863e56d5590f563b731c1f64553df8413
            • Instruction Fuzzy Hash: 38111B75A01248EBDB15EFA5C844EEEBBB9EB58350F008059FC02DB350DA35EE51DB90
            Function 03D04A80 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
            • Instruction ID: 688ffab29b6709e0a0314e9f641c1a1b79e64fad536ecc9445bde9c25fde4c10
            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
            • Instruction Fuzzy Hash: B101D8362007419FDB21DA9AD845F57B7FAFFC5A14F084419EA43CB690DAB0F890CB54
            Function 03CBCA11 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 28686d0744ad43105330bcb06d805b26a5251fac4dfadb05e0b0372e4e12b370
            • Instruction ID: 91a1de2e101607fee87885866cb465b930a437d8787b015a89153d28d94c0d1b
            • Opcode Fuzzy Hash: 28686d0744ad43105330bcb06d805b26a5251fac4dfadb05e0b0372e4e12b370
            • Instruction Fuzzy Hash: 1D1157B56183089FC700DF69C44198ABBE8EF99350F00851AB998DB3A0E670E9108B92
            Function 03CBC97C Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fde3546e7f7009a622c12e91aab1543ce27272fc431dc93c9d3b67d90fea769b
            • Instruction ID: 78f1651f10f5226ec049581c812ed25d1191fa774a3c74634d7e4bed280bfe29
            • Opcode Fuzzy Hash: fde3546e7f7009a622c12e91aab1543ce27272fc431dc93c9d3b67d90fea769b
            • Instruction Fuzzy Hash: 521139B5A183489FC700DF69D44199BBBF8EF98710F00851AB998DB391E670E900CB96
            Function 03C2826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e010975258c13b822550de45133327b32b04503b59971c82d59a0b23a08fa049
            • Instruction ID: 81d2ca28b61b82a9017a17080db5d615e6d953b6020668bbb3484d4ebea12ae9
            • Opcode Fuzzy Hash: e010975258c13b822550de45133327b32b04503b59971c82d59a0b23a08fa049
            • Instruction Fuzzy Hash: E301A776B00718DBC714EB66D8109AEBBB9EF40610F1E40699902EB640EE70EE01D691
            Function 03C4E016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: 58cfeb3b82e2ad4587cbb24423230213fbf801dc41b43e2eed1168b641a49506
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: 6C015672200A809FD322E72DC948F36B7ECEB85754F0E04A1E815CFAA2D738DE40C625
            Function 03C32582 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aa075f6a01ee2a3f8802e23ae9da102efbc2e70abb0609ed1adccd770373f327
            • Instruction ID: fa8e7b178476838cb064879e3828bc4fc7d49edc068536fab2d4ac32c099d5df
            • Opcode Fuzzy Hash: aa075f6a01ee2a3f8802e23ae9da102efbc2e70abb0609ed1adccd770373f327
            • Instruction Fuzzy Hash: 9EF0F432B41B20BBC731EB56CC40F17BAADEF85A90F054429A605DB640DA34EE01DAA0
            Function 03C2C310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: ab5b5d546514d78179847919d1c7de3a7f08a707c974f547f1120e4177486e74
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: 55F0FC372447329BC732D6598880FBFBE958FC5AE4F1A8435E109DF204CAA48C0166D0
            Function 03C5C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: d313dc013c0730c13839ad5c0576671c2b78b74b30814ecb3f20dd6e12f249e3
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: 0DF0C2B3A00610ABD324CF4DDC40E57F7EADBD4A80F098128A905CB220EA31DD04CB90
            Function 03D04FE7 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b42fe39d195f8265b0a57b32bcb72c596f1375d19a165644a868e50ed54b9895
            • Instruction ID: e2bf6f3cd00dcec7452eafd211a279123be219a4985010140e96e75bc4ef1436
            • Opcode Fuzzy Hash: b42fe39d195f8265b0a57b32bcb72c596f1375d19a165644a868e50ed54b9895
            • Instruction Fuzzy Hash: 96017175A00208ABCB00DFA9D940ADEBBB8FF48700F10005AE900E7380D674DA018BA0
            Function 03C6CA6F Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
            • Instruction ID: 5e3fd78be165e04ea00fb27c247a3b0ed3ed2e9c3ccb743ab175c721ec0fab65
            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
            • Instruction Fuzzy Hash: 4E01A436210B859BD322D75DC845F99BF9CEF81754F0D80A1FA44CF6A2D779C901C255
            Function 03CB63C0 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction ID: 9b335c1a50c4e1b0abd8c920e5b24903d8231f066bbc29205a670e49d84d29cf
            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction Fuzzy Hash: A3F0F97620011DBFEF019F94DD80DAFBB7DEB49298B114125FA11D6160D631DD21ABA0
            Function 03D061E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32c6e7bb9cdd26ca1f63edc4a7b0434f363218b78fc1ca57966d3c4a80cab349
            • Instruction ID: d20a33663720d1899999862cf9c77b3bd5703e706a97b84c5466b5ee3888c61a
            • Opcode Fuzzy Hash: 32c6e7bb9cdd26ca1f63edc4a7b0434f363218b78fc1ca57966d3c4a80cab349
            • Instruction Fuzzy Hash: 32018F71A00258DBCB04DFA9D845AEEBBF8FF48710F14005AE900EB380D774EA01CB95
            Function 03CBA4B0 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32d59b1365e3e9f2ff568b2cd63a31b69ff4e763413e97c079ecaef98cd427c0
            • Instruction ID: de320dbc552d1715b6efe1a7cd103efcbf6b3217435557d34d585966df2028d6
            • Opcode Fuzzy Hash: 32d59b1365e3e9f2ff568b2cd63a31b69ff4e763413e97c079ecaef98cd427c0
            • Instruction Fuzzy Hash: 4C01893A100209ABCF12AE84D840EDA7B76FB4C754F068101FE58AA220C232DA70EF81
            Function 03C2C0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9b3a6d9c3d5c75bc077576970c6219c012e9ede7d3ffe6639efe9082a92e1d67
            • Instruction ID: 10265be51b24358084e350df41fcd1d23b15f28d516339f405fe2205f2168a86
            • Opcode Fuzzy Hash: 9b3a6d9c3d5c75bc077576970c6219c012e9ede7d3ffe6639efe9082a92e1d67
            • Instruction Fuzzy Hash: CAF024B12043645BE715E659DC02B663A9AEBC0691F29C06AEB05CF2C0EA72ED018394
            Function 03C6656A Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cb85d456ae9cbdda9ea745c15eb6a63315bfdec138803b66edc3b1d6058d0b5e
            • Instruction ID: 076ec8cce00584bfd5ebbb201952e96e4d2ac624ab2d9472d78a68d053a0e04c
            • Opcode Fuzzy Hash: cb85d456ae9cbdda9ea745c15eb6a63315bfdec138803b66edc3b1d6058d0b5e
            • Instruction Fuzzy Hash: D501A474201BC19BE326E72DCD99F2577A9AB40B04F8D0194B902CFBD5D7A8D5118214
            Function 03CD437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: 7f7e34b023ffe957f92d17a240371a5d1c9bba870f73867d0663f4660b44c3c6
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: 3FF08939781B1247D77DEA6F9450B2EE2559F80A50B4E052CB755CFE40DF70DD019790
            Function 03CBC89D Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5337ec8c9dda285dfd7c68b83882abd3a30dca9503b5ceaa0b15ba94a91b20e9
            • Instruction ID: 5184120d15c70911569e138a6c22a60ae0753d1eca00ddcbe9f4fc3cbefde9fa
            • Opcode Fuzzy Hash: 5337ec8c9dda285dfd7c68b83882abd3a30dca9503b5ceaa0b15ba94a91b20e9
            • Instruction Fuzzy Hash: 3BF0AF756153449FC314EF29C845A1AB7E4FF98700F40865AB898DF390E634EA01D796
            Function 03CBE872 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
            • Instruction ID: 7f77a9b72ba2389cdc754035c846b027b926292f2fad03caeb198439fb34ead7
            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
            • Instruction Fuzzy Hash: 1EF05E37711A619BD321DA6EEC80F96B3B8AFD5E60F1E0165A904DF260C762EC01C7D0
            Function 03C60854 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
            • Instruction ID: 3caf91b3b82613d4078f1790c55e67e7f8458aed6f052357b31e4e3cf6d2c9ac
            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
            • Instruction Fuzzy Hash: 42F02E72600300AFE324DB26CC02F86B3E9EF9C300F1580789845EB2A0FAB0EE00D694
            Function 03CBC912 Relevance: .0, Instructions: 34COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70d2f80a6a48e405065fec53fee483d23547ef43cf72812b49ac66cb347a9195
            • Instruction ID: 1c0bc4688b56e35155445196a9767f7e4c5526b5be256be97a785a9203bc1b78
            • Opcode Fuzzy Hash: 70d2f80a6a48e405065fec53fee483d23547ef43cf72812b49ac66cb347a9195
            • Instruction Fuzzy Hash: F7F04F74A01349DFDB04EF69C515A9EB7B4EF58300F008056A855EB385DA74EA01DB95
            Function 03C347FB Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8e3ed25cce3a2bfda0612dbc7c089ca6128d1d009c14704db575f41160f9019d
            • Instruction ID: 82c0c06972175104a612fa73df2a256189eccf1ccb111a06379035209f02ba8f
            • Opcode Fuzzy Hash: 8e3ed25cce3a2bfda0612dbc7c089ca6128d1d009c14704db575f41160f9019d
            • Instruction Fuzzy Hash: FAF0B43B9127D09FD736CB5BC444B21B7D9DB02764F0D89AAD889CF541C724DA81CA52
            Function 03CF0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 628f4e59559a59d0ea87436b5ae6e88029c9800bd386d66f48bf7349f6db4c6f
            • Instruction ID: 849fd5fffcf5e33dd4ba1289e7d97ca17ecdd8f02cb5d4ca63eeda070dbb4d73
            • Opcode Fuzzy Hash: 628f4e59559a59d0ea87436b5ae6e88029c9800bd386d66f48bf7349f6db4c6f
            • Instruction Fuzzy Hash: 12F027BB41A7E04ECF71FB286850391BF689762810F1E5089C6A1DF306C9B5C683C620
            Function 03C72619 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction ID: 5454cd1563acdc3bee0c0a4f5547bf1545a0385d7877bf5e38eccf05c10ae5fa
            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction Fuzzy Hash: 8FE092723006006BD721DE59CC80F47776EAF86B10F05047AB904DE251CAE69D0982A4
            Function 03C6C5ED Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 08459057d9fd85b4357a87bb1e398a6c4d9f21f54b8dc3a9d9c1a22158a32b6a
            • Instruction ID: 2f4a1ca1a02f768a4b633848177fdb6fb736ea464682c8515a0d51c0357166e2
            • Opcode Fuzzy Hash: 08459057d9fd85b4357a87bb1e398a6c4d9f21f54b8dc3a9d9c1a22158a32b6a
            • Instruction Fuzzy Hash: C1F02775515A909FC332D719C1C8B51F3E8DB007A0F0DE465D9DACF952C364C980CA58
            Function 03C6CF80 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
            • Instruction ID: 143c900e85c674c7c9f8e6ecd6a512fd8d71c9d1085dae6d03ae4611d289a527
            • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
            • Instruction Fuzzy Hash: CBF0E236204206EFC701EA5AEC40E9EFFAAEF81710F048012E914CF250DB31A861C710
            Function 03CC6030 Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
            • Instruction ID: bb07ba27d2250d8eaf58f91959635655fae96cb844857ef581cc5346bc6a45fb
            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
            • Instruction Fuzzy Hash: ABF030721142449FE320CF46DA44F52BBE8EB05364F4AC069E609EB560D379EC50CBA8
            Function 03C30710 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction ID: 87a12ad40f9cf34ee92673e01622df3132510b56eeeac4861ce5204a6ca8c130
            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction Fuzzy Hash: 79F06D3E3047949BDB16DF2AD050AA57BA8EB46364B0500D9E846CF351EB31EAC2CB94
            Function 03C649D0 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
            • Instruction ID: 0d32a7ee6bfa2d331e85d6b747c9860107777490be65827d67e06de7a5f33095
            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
            • Instruction Fuzzy Hash: 20E0D832244244BFC3259E578C42F6677A9DBC1BA1F160429E140CF551DB74DC40D7EC
            Function 03CD678E Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
            • Instruction ID: fbfb41b2f6a11c20f032899ddbaafb699f42f075875b0c7575d24561bf055a00
            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
            • Instruction Fuzzy Hash: 81E04F72A40214BBDB21DB998D05F9ABABCDB94EA4F570055B601EB190D570DE10D690
            Function 03C325E0 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 6c4bc2e4c73d468661b012f2c7431116495c18a1ed96c1c2ebc529f8497e4613
            • Instruction ID: 14762044b26e41398390165cffd52a45289cc15dfa1581c7ba4004fe99d317be
            • Opcode Fuzzy Hash: 6c4bc2e4c73d468661b012f2c7431116495c18a1ed96c1c2ebc529f8497e4613
            • Instruction Fuzzy Hash: 3EE092361007949BC721FB29DD01F8A77AAEFA1361F024515B115DB190CA30A810D784
            Function 03CB4000 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction ID: 9483c06bde7a0abe31757ea4d27738c16b90deff60aff492d2c210f91666726c
            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction Fuzzy Hash: D0E0C2343043058FD719CF1AD080BA2B7B6BFD5A10F28C068A848CF206EB32E942CB40
            Function 03C6CA38 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f797bc1f67e4890fd6d1491baf00e252806caec4844719024cc0e4e3e4eb642
            • Instruction ID: eb7fba87bc14f12f9616fe235d09cf1b96dc330800d8719e8f2d5f7e3d990784
            • Opcode Fuzzy Hash: 7f797bc1f67e4890fd6d1491baf00e252806caec4844719024cc0e4e3e4eb642
            • Instruction Fuzzy Hash: 06D02B328811306ECB74F519BC44FA33A5D9B40320F0288A1F508D6012D524CC81A2C8
            Function 03C2823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: 0735f13feaa6e0276769938e5476d0e95e4f29de0a4dc4c54aa966010bdaabd5
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: 59E08C35101B20EEDB31FF12DC04F527AA5FB84B50F164969E482CE4A48BB0AC91EA44
            Function 03C32050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 640ae5e4a702fa018663e70a754fd336ebfc89bbf86a6e50ee7eae7c1ef1d67d
            • Instruction ID: 05b961014d58bd53b5cca6d95c986c66ee80bc894913873fdc98b64cb312df63
            • Opcode Fuzzy Hash: 640ae5e4a702fa018663e70a754fd336ebfc89bbf86a6e50ee7eae7c1ef1d67d
            • Instruction Fuzzy Hash: 36E0C2332007906BC721FB5DDD00F8A73AEEFA53A0F024221F150CB690CA60EC00D794
            Function 03C68A90 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
            • Instruction ID: 2fa7b67a80ec44014662cf830131b3a6bfeef22481a174181afd4a86dbe033ea
            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
            • Instruction Fuzzy Hash: C1E08633111B1487C728DE18D951B72B7A4EF45B20F09463EAA53C7781C534E544C794
            Function 03C86AA4 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
            • Instruction ID: d72fdc063ff551fd43b9f870588d5e084e31647cb2b5f36961a30e2dedf74b65
            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
            • Instruction Fuzzy Hash: F2D05B36511A50DFC3319F17D900D53F7F5FBC4E50706062EA545C7910C770A915DB90
            Function 03C6E59C Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction ID: c960942f854a7028147699e3c6b90b949a79323cf17a358020ba06f46b441a08
            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction Fuzzy Hash: BDD0A932204A60ABD772EA1CFC00FC333E8AB88760F0A0599B009CB050C360AC81CA84
            Function 03CAE908 Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
            • Instruction ID: a12caf7eb73fd4386f74c6e1b792f3678656c3635ab0164f6014ef939dee46c8
            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
            • Instruction Fuzzy Hash: 8CE0EC3AA54B849BCF12EF6DC640F9AB7B5FB85B40F190058A448DF661C624A900DB80
            Function 03C2A0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: e8f7dc10c910495732127aeee6bc3712225556ef60d2d53a196366e0f80a9bde
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: CCD0123A31617097CB29E6566914F67BD159BC5AA4F1A016D780AD7900CD158C42E6E0
            Function 03C6CA24 Relevance: .0, Instructions: 14COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0c4b28e2c4759a3a59a8479d2ccb39bf5642104c110b50c9c2a959d0a6d6e9cd
            • Instruction ID: 3ee3847636e66657bb83d6c0287fde87fff10d57bafe799f80352aa59fc7c393
            • Opcode Fuzzy Hash: 0c4b28e2c4759a3a59a8479d2ccb39bf5642104c110b50c9c2a959d0a6d6e9cd
            • Instruction Fuzzy Hash: C0D0A734601602CBCF26DF08C960E2E7674EB10640F4440A8E740D5520D324DD01D700
            Function 03C6A830 Relevance: .0, Instructions: 14COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
            • Instruction ID: e6688a36229cc725f66742a7a8dd44722952154f837c4b5643a9c6c5f1e0b95c
            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
            • Instruction Fuzzy Hash: 44D0123B1D064CBBCB11EF65DC01F957BA9E794BA0F458120B904CB5A0C63AE960D584
            Function 03C6CF50 Relevance: .0, Instructions: 14COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d887076a73bd9b29fb7a9539002049a92b65681037088c0c4dc40b4436c87311
            • Instruction ID: 1c2ffbe8c2760d70b637d0062c77e8151e62af9e8524b368b128387dc78ec67d
            • Opcode Fuzzy Hash: d887076a73bd9b29fb7a9539002049a92b65681037088c0c4dc40b4436c87311
            • Instruction Fuzzy Hash: 69D0C776150344ABC711FF59DD41F557B6AEBA4750F054020B504CB661C631ED61D658
            Function 03C402A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: 1c0462645c36cdf0474f9257489164cb9fbaf1c77018e06211ea7fa06bafb8d3
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: B8D0C935252E81CFD62ACF0DC5A4B16B3B8BB44B44F8604D0E501CBB61D66CEA40CE00
            Function 03C6C700 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction ID: 0739117aced7e209daf7f718c1b25cc6fe6254657a345a45e752a03bef9e5298
            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction Fuzzy Hash: 90C0123A290688AFC712EA98CD01F027BA9EB98B80F014021F6048B670C631E820EA84
            Function 03C50310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: af6cc01c1105e08974ba28cad21c1b442f453ef79e4d5d8ced204fd8aa62431e
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: 4AD01236100248EFCB01DF41C890D9A772AFBD8710F148019FD194B610CA31ED62DA50
            Function 03C30750 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction ID: b78394523fbcc826d887ce2e392feda29ae03ba974a0804cc97a4bb7a47ae7e8
            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction Fuzzy Hash: 15C04879B11A818FCF15EB2AD294F4977E8FB84744F1A08D0E805CFB21E624EA11DA10
            Function 03C74340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f6a1fea4665c68775600945c68527f886cf85770db7a8e32eea73671f6144c3c
            • Instruction ID: d9207e47c900c21a26f1f008bb449648049f154fc077c928e4db173c3af88a4a
            • Opcode Fuzzy Hash: f6a1fea4665c68775600945c68527f886cf85770db7a8e32eea73671f6144c3c
            • Instruction Fuzzy Hash: CC900271605904129141B25848C45C6400697E0705B96C011E042C598C8B148B565361
            Function 03C74650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1cf569dc05e96d32a3de8ec8f6a2522bb16e70576c8ebd9938cb955ea2c59d82
            • Instruction ID: 8c9c457570570642dd4c9970c2f4061f84117d5ad86024db98de2352c4182ade
            • Opcode Fuzzy Hash: 1cf569dc05e96d32a3de8ec8f6a2522bb16e70576c8ebd9938cb955ea2c59d82
            • Instruction Fuzzy Hash: EC9002A1601604424141B2584844486600697E17053D6C115A055C5A4C87188A559269
            Function 03C72BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f468998828c7c21b8d10737fab4daf925a0115e8293e0ab912a7cb3c0be754f1
            • Instruction ID: a619991b01414a5cf53e4941cf349c28daf4f1760801d6ea0275baa4ad3d4f91
            • Opcode Fuzzy Hash: f468998828c7c21b8d10737fab4daf925a0115e8293e0ab912a7cb3c0be754f1
            • Instruction Fuzzy Hash: 5890027120554C42D141B2584444AC6001687D0709F96C011A006C6D8D97258F55B661
            Function 03C72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 27353ca2fa6e462000efc1565e19cec3a879680fafe186e21852311c651db2e1
            • Instruction ID: 4ade4d89b8fd8c6dbf348899a9d592f55c2c63e515dd70313f3064eedb98d575
            • Opcode Fuzzy Hash: 27353ca2fa6e462000efc1565e19cec3a879680fafe186e21852311c651db2e1
            • Instruction Fuzzy Hash: 9A90027120150C02D181B25844446CA000687D1705FD6C015A002D698DCB158B5977A1
            Function 03C72B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a0a6fd17d6b356deca95e2cbbdc6b571797c2bd4ab72b72caa470a2c01e20020
            • Instruction ID: 35c1e27b78686efcc3ee82ffe8a177864db586c5686cb8ff66742f92ef002207
            • Opcode Fuzzy Hash: a0a6fd17d6b356deca95e2cbbdc6b571797c2bd4ab72b72caa470a2c01e20020
            • Instruction Fuzzy Hash: 6690027120150C02D105B25848446C6000687D0705F96C011A602C699E97658A917131
            Function 03C72BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd06f0b28f58e57bb8cd87df76455e8f5abcd8c715f4d1faada655e17778f8ed
            • Instruction ID: d9216c63abd1ae65201849efdcb4a50e4151c712ceac89714f174068aaffc200
            • Opcode Fuzzy Hash: cd06f0b28f58e57bb8cd87df76455e8f5abcd8c715f4d1faada655e17778f8ed
            • Instruction Fuzzy Hash: 2A90027160550C02D151B25844547C6000687D0705F96C011A002C698D87558B5576A1
            Function 03C72AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12f62d46cdd10e37022eeda355f86b5ee5b258e4315e249936961acc5b6ef2aa
            • Instruction ID: 5ccc219a2ee1aa6f5f38cdfe196630356f1921bbd00af45df39f71b803a0d9fb
            • Opcode Fuzzy Hash: 12f62d46cdd10e37022eeda355f86b5ee5b258e4315e249936961acc5b6ef2aa
            • Instruction Fuzzy Hash: BD900265211504030106F6580744587004787D5755396C021F101D594CD7218A615121
            Function 03C72AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 572c9586e11b2366d272f8ea3e460b5446325f63564508eae813589def9106e1
            • Instruction ID: c2722349e27a935bfc5695f505d3cfbe9a2a88bd3de37575e91234bae57404ec
            • Opcode Fuzzy Hash: 572c9586e11b2366d272f8ea3e460b5446325f63564508eae813589def9106e1
            • Instruction Fuzzy Hash: F7900265221504020146F658064458B044697D67553D6C015F141E5D4CC7218A655321
            Function 03C72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1cddc42f3248122e8b88e9d435b33fea9dcf695b7cc4d1b94eb57c9fadd963b5
            • Instruction ID: 2e8e4ebbd39979a97c036f95cf0b1e4137fb25db93f65f02320f814261de36b2
            • Opcode Fuzzy Hash: 1cddc42f3248122e8b88e9d435b33fea9dcf695b7cc4d1b94eb57c9fadd963b5
            • Instruction Fuzzy Hash: 069002E1201644924501F3588444B8A450687E0705B96C016E105C5A4CC6258A519135
            Function 03C72FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9f1de2568e5b35f41c09ddb7e21c8cb1fe38838aac5b34aaaf48d52decedb78c
            • Instruction ID: 9bd2d9bce85154b30f317e8e6be32bc5c4c892e2d64f7141fbda9639946fc01f
            • Opcode Fuzzy Hash: 9f1de2568e5b35f41c09ddb7e21c8cb1fe38838aac5b34aaaf48d52decedb78c
            • Instruction Fuzzy Hash: 07900261211D0442D201B6684C54B87000687D0707F96C115A015C598CCA158A615521
            Function 03C72F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96805f36d913fe6a9423e5d6493a79613a97cd180a72f6ee80b7d568ed3d8651
            • Instruction ID: af061bc7e42375e3cf38ebb6c4b3ce3cf207fe61a584f0b8efc80188a114a787
            • Opcode Fuzzy Hash: 96805f36d913fe6a9423e5d6493a79613a97cd180a72f6ee80b7d568ed3d8651
            • Instruction Fuzzy Hash: 9590027120190802D101B258485478B000687D0706F96C011A116C599D87258A516571
            Function 03C72FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b3bf2a0c596872f11400af4e2ec543d560c9e08edb41399650334c885779a80b
            • Instruction ID: c5fa407f6bef238fdef9d573b1e13eff083977061a2a10579db8bde873315023
            • Opcode Fuzzy Hash: b3bf2a0c596872f11400af4e2ec543d560c9e08edb41399650334c885779a80b
            • Instruction Fuzzy Hash: 7F90027120190802D101B25848487C7000687D0706F96C011A516C599E8765CA916531
            Function 03C72FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1115037693a0bd49650fcb1ef29b678f2b0df0ed81c991f8ae321e5ca613d024
            • Instruction ID: 7f7a45951496b504501c0e1f969aa8ad09dde4f8684043a0bf58f3020397ff6d
            • Opcode Fuzzy Hash: 1115037693a0bd49650fcb1ef29b678f2b0df0ed81c991f8ae321e5ca613d024
            • Instruction Fuzzy Hash: F3900261601504424141B26888849864006ABE1715796C121A099C594D86598A655665
            Function 03C72F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dd7dbc1b65812bfdc3c8b3aa6d865845b690acf6205fec668580c866f5f05dec
            • Instruction ID: 1712e05f7f2c8bb087120fe9595f667e5454ca18542cfd3a418b0cfff1cac37e
            • Opcode Fuzzy Hash: dd7dbc1b65812bfdc3c8b3aa6d865845b690acf6205fec668580c866f5f05dec
            • Instruction Fuzzy Hash: 749002A121150442D105B2584444786004687E1705F96C012A215C598CC6298E615125
            Function 03C72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5abd74326b62b422f26fe47593f6712fe0fd22ef08f1d0153e6dbd459f667b2
            • Instruction ID: af5a27673156e8e58387cd342d22957042625c1a32243017c68b61198122fecb
            • Opcode Fuzzy Hash: c5abd74326b62b422f26fe47593f6712fe0fd22ef08f1d0153e6dbd459f667b2
            • Instruction Fuzzy Hash: 749002A134150842D101B2584454B860006C7E1705F96C015E106C598D8719CE526126
            Function 03C72EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 526a57017b305494ce3da651556ccb93360e17fb026eca8b7392d55cf0b5916e
            • Instruction ID: f4b9876c674b2e959a84995f3a2ae1a5114c1bc452cf8bc1f6534c69a1b9fd6d
            • Opcode Fuzzy Hash: 526a57017b305494ce3da651556ccb93360e17fb026eca8b7392d55cf0b5916e
            • Instruction Fuzzy Hash: A29002A120190803D141B6584844687000687D0706F96C011A206C599E8B298E516135
            Function 03C72E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0a598e5c05893417ac1694d23fd02842b938f5905a806c7946015c0961807497
            • Instruction ID: be6bcaf4fdf9f6dfb5a73d00c66b5be37e06a639bb86c4b068c61c6544370d8e
            • Opcode Fuzzy Hash: 0a598e5c05893417ac1694d23fd02842b938f5905a806c7946015c0961807497
            • Instruction Fuzzy Hash: 8B90026160150902D102B2584444696000B87D0745FD6C022A102C599ECB258B92A131
            Function 03C72EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 41a8f9461d4ee9289c33852617af2290e19b995a45a779a30c440bfb0ecfbf48
            • Instruction ID: cd5d0dbdfc45c1236238367d0db5fa4f7885911f113865dcab8e29487817cca4
            • Opcode Fuzzy Hash: 41a8f9461d4ee9289c33852617af2290e19b995a45a779a30c440bfb0ecfbf48
            • Instruction Fuzzy Hash: 619002B120150802D141B25844447C6000687D0705F96C011A506C598E87598FD56665
            Function 03C72E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0baaf74fcfee02f88e31d7af043b879ea998c830b414bc6fdc116123616509db
            • Instruction ID: 07b89371a4f1f9fa36871b912d0783f1f71d67bc95cf137b20e3a167a4c999c8
            • Opcode Fuzzy Hash: 0baaf74fcfee02f88e31d7af043b879ea998c830b414bc6fdc116123616509db
            • Instruction Fuzzy Hash: 6590026130150802D103B2584454686000AC7D1749FD6C012E142C599D87258B53A132
            Function 03C72DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b97de109d9ce11f4ca00854bc12cfdcce01ad0cbce555c2f91f9c8a59c9b2676
            • Instruction ID: b95aec3ceca8c4a18cdb42d24f9c8678a2cccd89f0fdad7f0dd1d748c2d26af6
            • Opcode Fuzzy Hash: b97de109d9ce11f4ca00854bc12cfdcce01ad0cbce555c2f91f9c8a59c9b2676
            • Instruction Fuzzy Hash: 1D900261242545525546F2584444587400797E07457D6C012A141C994C86269A56D621
            Function 03C72DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 81ae7fb7eec0737ec12ef987033e79c4b7efd00d95891b76133ac50854d34c52
            • Instruction ID: 7959c87dcfcc67f523e0f252bad21bf2d9a84ff1698d7760c0d2f5c30b70b53c
            • Opcode Fuzzy Hash: 81ae7fb7eec0737ec12ef987033e79c4b7efd00d95891b76133ac50854d34c52
            • Instruction Fuzzy Hash: FE90027124150802D142B2584444686000A97D0745FD6C012A042C598E87558B56AA61
            Function 03C72D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b41d002c29a04433801278505445232b55868de5e147a4098f5c61211f679b71
            • Instruction ID: 62885221928e3cd2a7ab5da937fe13bc1477780380276833fd8c7422276209ae
            • Opcode Fuzzy Hash: b41d002c29a04433801278505445232b55868de5e147a4098f5c61211f679b71
            • Instruction Fuzzy Hash: A990026120554842D101B6585448A86000687D0709F96D011A106C5D9DC7358A51A131
            Function 03C72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 25339b556130a5f8428e76d34de69378d07463e8d35582d339d360ecb0dc9a3e
            • Instruction ID: 5460a0524fe1d3517a85ca47f531e7c769fc0a721a2bf25b8d0d28aa80b5cc6c
            • Opcode Fuzzy Hash: 25339b556130a5f8428e76d34de69378d07463e8d35582d339d360ecb0dc9a3e
            • Instruction Fuzzy Hash: 3E90026921350402D181B258544868A000687D1706FD6D415A001D59CCCA158A695321
            Function 03C72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2ec5e3fef85bc7883f36a9a81cfc14227ade316a7002492c8551c14abb453eba
            • Instruction ID: 0d481d4aae41c2ebb2b2afc0bc20a2567cdc09918271c04b78fd940bbf8aa644
            • Opcode Fuzzy Hash: 2ec5e3fef85bc7883f36a9a81cfc14227ade316a7002492c8551c14abb453eba
            • Instruction Fuzzy Hash: 5990026130150403D141B25854586864006D7E1705F96D011E041C598CDA158A565222
            Function 03C72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 639d774944fb959c82529cc5b8109e983852a47e9b5d0778f770922c07bb37d4
            • Instruction ID: cd9ba0f04ae1f3449004b61af729cef47b508c8a8682916607adc07cd4643fa1
            • Opcode Fuzzy Hash: 639d774944fb959c82529cc5b8109e983852a47e9b5d0778f770922c07bb37d4
            • Instruction Fuzzy Hash: 8190026160550802D141B2585458786001687D0705F96D011A002C598DC7598B5566A1
            Function 03C72CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 322bd08880515d1256ad3188221d8dcd285131f1ee51025be506d6dfcc097f55
            • Instruction ID: 9d4892514085e924343abae3fedf7e74a1a02e932b6321594537480a6ec83b31
            • Opcode Fuzzy Hash: 322bd08880515d1256ad3188221d8dcd285131f1ee51025be506d6dfcc097f55
            • Instruction Fuzzy Hash: EA90027120150803D101B2585548787000687D0705F96D411A042C59CDD7568A516121
            Function 03C72CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c374ec641fe403108ad000a50be259319a1438c7b2cafa5904bee78014e7d457
            • Instruction ID: 1c3bcd2550a7eb90aaf10bf9a51a0c36edeeba2c6e0787d547c5b6f210126d10
            • Opcode Fuzzy Hash: c374ec641fe403108ad000a50be259319a1438c7b2cafa5904bee78014e7d457
            • Instruction Fuzzy Hash: C790027120150802D101B69854486C6000687E0705F96D011A502C599EC7658A916131
            Function 03C72C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2740e0b13f9f5e04f4fe40e20fc2978b1eeb5632a9198ed2366e80f74479692a
            • Instruction ID: acc37ffa046e2ec2370b46289f10d2877c31a4f321e0a16c5d262f1a977cdc65
            • Opcode Fuzzy Hash: 2740e0b13f9f5e04f4fe40e20fc2978b1eeb5632a9198ed2366e80f74479692a
            • Instruction Fuzzy Hash: 7F90027120150C42D101B2584444BC6000687E0705F96C016A012C698D8715CA517521
            Function 03C72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f49764909e6e396c5a00fc965032020b2cfabe2e868c55be8d0337420572be7
            • Instruction ID: 598963207200d24d0577c0f5483c3fdcfccdafd67aeaeeeddfda3b6d8db47470
            • Opcode Fuzzy Hash: 7f49764909e6e396c5a00fc965032020b2cfabe2e868c55be8d0337420572be7
            • Instruction Fuzzy Hash: 5C90027120158C02D111B25884447CA000687D0705F9AC411A442C69CD87958A917121
            Function 03C73090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 921e7da90aee502a168f58cb787e620a7bb052eb0bd19b5734fe8e1115e9289a
            • Instruction ID: 5e73577c256afb0f2e4224b975434118a4d9fc5e23f65ad3b760169dd3c94409
            • Opcode Fuzzy Hash: 921e7da90aee502a168f58cb787e620a7bb052eb0bd19b5734fe8e1115e9289a
            • Instruction Fuzzy Hash: 1190026124150C02D141B25884547870007C7D0B05F96C011A002C598D87168B6566B1
            Function 03C73010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d89fa28f4e4dae07eecbc4d38ffa4db5bccbeba74fb5ea859bdc64c0fa0d1d86
            • Instruction ID: 2b2f1c7b56368b0ba0206c1bcaeac6d0a73628fd64a280b13bf714149cf5c21f
            • Opcode Fuzzy Hash: d89fa28f4e4dae07eecbc4d38ffa4db5bccbeba74fb5ea859bdc64c0fa0d1d86
            • Instruction Fuzzy Hash: 1B90026120194842D141B3584844B8F410687E1706FD6C019A415E598CCA158A555721
            Function 03C739B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 23704cc1692e00a76c61809f41ac85640bf0791c1fea3c9a940ccac78960c245
            • Instruction ID: 79b255b7f3a25c8e839931f40a2bb101864861b948c2a43a3cf4c2cf473dfe59
            • Opcode Fuzzy Hash: 23704cc1692e00a76c61809f41ac85640bf0791c1fea3c9a940ccac78960c245
            • Instruction Fuzzy Hash: 3E90026124555502D151B25C44446964006A7E0705F96C021A081C5D8D86558A556221
            Function 03C72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: 0d3627805aff96901c21ac4bd397b112becf48653099e955831717f6116fc35e
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 03C72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 68f4612d5e19820e097fea57aa846fb415acdf13e87fb68241b6f7b7fc2dd38e
            • Instruction ID: efe65e552ba8c6ba2f1a327fbf350d34c612125bbbb71844f3318db3e6f654ce
            • Opcode Fuzzy Hash: 68f4612d5e19820e097fea57aa846fb415acdf13e87fb68241b6f7b7fc2dd38e
            • Instruction Fuzzy Hash: 3951EBB6A04556BFCB10DF9DC99097EF7B8BB08204B188569E8A5DB641D334DF44CBE0
            Function 03CE2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 062f2b66c06cd25ac7f7d48d158236f3893796431c45ea33e75e58a117f3c4a7
            • Instruction ID: d1080f25c874760b79874683c08355b887ebad9064e61529b500ff7577e3dff5
            • Opcode Fuzzy Hash: 062f2b66c06cd25ac7f7d48d158236f3893796431c45ea33e75e58a117f3c4a7
            • Instruction Fuzzy Hash: EB51E9B6A00655AECB30FF5CC990A7FBBFDEB44204B048869E4A6DB641D774EB40C760
            Function 03C67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03CA4742
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03CA4787
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03CA46FC
            • ExecuteOptions, xrefs: 03CA46A0
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03CA4725
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03CA4655
            • Execute=1, xrefs: 03CA4713
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: 1c6f53650ccb40283799fe10f8040436b39d97cfbb627499b81fb7a745151332
            • Instruction ID: 06b9f57d481f30b6d1324014d8eb9986d75efd06abc0d947a6222a4263b94bae
            • Opcode Fuzzy Hash: 1c6f53650ccb40283799fe10f8040436b39d97cfbb627499b81fb7a745151332
            • Instruction Fuzzy Hash: E8511735A003196ADB25EBA9DCC5FAE73B8AF04308F0804A9D505EF281E770EA419B50
            Function 03C7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction ID: 34d7a80f866803ea96099025eacc2307bae200f9dd0d7ef8311687fdf6967e29
            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
            • Instruction Fuzzy Hash: 7D81AF74E452499EDF28CE69C8917FEBBB5AF45350F1C425AEC61EB390C7349E408B60
            Function 03C5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03CA02E7
            • RTL: Re-Waiting, xrefs: 03CA031E
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03CA02BD
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 80f615509c55bee5a8fbc5557b6c354e971492a0ddee51d2ba228251dccf47b1
            • Instruction ID: b48dd6e33cae6828f470beb5e4377074818ba2f757c513872737d7287a0a4653
            • Opcode Fuzzy Hash: 80f615509c55bee5a8fbc5557b6c354e971492a0ddee51d2ba228251dccf47b1
            • Instruction Fuzzy Hash: 5BE1B031604B42DFD728CF28C884B6AB7E0BB85358F180A5DF9A5CB2D1D775E984CB46
            Function 03C6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03CA728C
            Strings
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03CA7294
            • RTL: Re-Waiting, xrefs: 03CA72C1
            • RTL: Resource at %p, xrefs: 03CA72A3
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: 841dd5f8802488c8e6727995ca81adc7fb992f5a7badcdbd3b8e057a8c326018
            • Instruction ID: d9f05128909cebfc15da59a1f08ae3aaf03a5f25a2ffc3fd96c899188efcd288
            • Opcode Fuzzy Hash: 841dd5f8802488c8e6727995ca81adc7fb992f5a7badcdbd3b8e057a8c326018
            • Instruction Fuzzy Hash: 3641EE35600B06ABC720DE6ACC81B6AB7A5FB84718F144629F895EB240DB21F9529BD1
            Function 03CE2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: %%%u$]:%u
            • API String ID: 48624451-3050659472
            • Opcode ID: 5565cc5d954e9c4a2e6ad84628171511d2e0d9cc2d1e7424c7cb13cdbb4e2fcb
            • Instruction ID: e42ec76d1c7f5f368b66db272d719d7e6272ca4857845bd86cf76f25e76176e3
            • Opcode Fuzzy Hash: 5565cc5d954e9c4a2e6ad84628171511d2e0d9cc2d1e7424c7cb13cdbb4e2fcb
            • Instruction Fuzzy Hash: 9C316676A002299FDB60EF29CC40BEEB7BCFB44610F454556E949E7240EB309A449FA0
            Function 03C39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2474886201.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: b8b59842621210d6a43b77628b99d3814a5ea1cd71b293743381447bf040af07
            • Instruction ID: 6f1e881fbeb022f4a0fa1fbfcd48d6c0d75139eebf8b1b87225491d8be405923
            • Opcode Fuzzy Hash: b8b59842621210d6a43b77628b99d3814a5ea1cd71b293743381447bf040af07
            • Instruction Fuzzy Hash: 51812B76D002699BDB31DF54CC48BEEB7B8AB08710F0545DAA919FB280D7709E84DFA0