Loading ...

Play interactive tourEdit tour

Analysis Report svchost[1].exe

Overview

General Information

Sample Name:svchost[1].exe
Analysis ID:383988
MD5:f31b0e7d038ed9d64be2c6ef94fa5171
SHA1:a4311ea256fb28fa7815249f43c903641c7114da
SHA256:30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • svchost[1].exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\svchost[1].exe' MD5: F31B0E7D038ED9D64BE2C6EF94FA5171)
    • svchost[1].exe (PID: 5872 cmdline: C:\Users\user\Desktop\svchost[1].exe MD5: F31B0E7D038ED9D64BE2C6EF94FA5171)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.svchost[1].exe.3c80048.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.svchost[1].exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.svchost[1].exe.3b49d80.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.svchost[1].exe.3b49d80.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.svchost[1].exe.3b49d80.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: svchost[1].exeVirustotal: Detection: 15%Perma Link
                    Source: svchost[1].exeReversingLabs: Detection: 16%
                    Machine Learning detection for sampleShow sources
                    Source: svchost[1].exeJoe Sandbox ML: detected
                    Source: 5.2.svchost[1].exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: svchost[1].exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: svchost[1].exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04AA8160
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04AA9680
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04AA9670
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04AA8151
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04AA8214

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 5.10.29.169:587
                    Source: global trafficTCP traffic: 192.168.2.4:49764 -> 5.10.29.169:587
                    Source: Joe Sandbox ViewIP Address: 5.10.29.169 5.10.29.169
                    Source: Joe Sandbox ViewASN Name: EVEREST-ASGB EVEREST-ASGB
                    Source: global trafficTCP traffic: 192.168.2.4:49764 -> 5.10.29.169:587
                    Source: unknownDNS traffic detected: queries for: smtp.lpsinvest.com
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: svchost[1].exe, 00000005.00000002.908431013.00000000033D4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908461023.00000000033E4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908377566.000000000339D000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908473952.00000000033EA000.00000004.00000001.sdmpString found in binary or memory: http://97E09xoEksglOT.net
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://AFplKq.com
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: svchost[1].exe, 00000000.00000002.665163215.0000000002A31000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                    Source: svchost[1].exe, 00000005.00000002.908445459.00000000033DA000.00000004.00000001.sdmpString found in binary or memory: http://smtp.lpsinvest.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: svchost[1].exe, 00000000.00000003.649388172.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: svchost[1].exe, 00000000.00000003.647329385.0000000005AD8000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.647395558.0000000005AD6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
                    Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
                    Source: svchost[1].exe, 00000000.00000003.646976353.0000000005ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd:
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: svchost[1].exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                    Source: svchost[1].exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                    Source: svchost[1].exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: svchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 5.2.svchost[1].exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2429E0ACu002dC67Eu002d4BB9u002d982Eu002d094851467126u007d/CC8F16B2u002d6C4Fu002d4B93u002d81B5u002d25F57D65A170.csLarge array initialization: .cctor: array initializer size 11954
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_006720500_2_00672050
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_006746E00_2_006746E0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010D94A80_2_010D94A8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DDCF40_2_010DDCF4
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DC3A00_2_010DC3A0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DE2180_2_010DE218
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DA7480_2_010DA748
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DDCE80_2_010DDCE8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA00400_2_04AA0040
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA89600_2_04AA8960
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA54BE0_2_04AA54BE
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA54C00_2_04AA54C0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA15280_2_04AA1528
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA15380_2_04AA1538
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA001B0_2_04AA001B
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA33800_2_04AA3380
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA33720_2_04AA3372
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA03430_2_04AA0343
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1CE80_2_04AA1CE8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1CD80_2_04AA1CD8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA0FD10_2_04AA0FD1
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA58390_2_04AA5839
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA58480_2_04AA5848
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA59F70_2_04AA59F7
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1A200_2_04AA1A20
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1A300_2_04AA1A30
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA5A430_2_04AA5A43
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04FE43DC0_2_04FE43DC
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AD20805_2_00AD2080
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AD46E05_2_00AD46E0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_013111985_2_01311198
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_013123405_2_01312340
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_01316E585_2_01316E58
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016A46A05_2_016A46A0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016A45B05_2_016A45B0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016ADA005_2_016ADA00
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_055AB8185_2_055AB818
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_055A67B05_2_055A67B0
                    Source: svchost[1].exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: svchost[1].exeBinary or memory string: OriginalFilename vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000002.670654588.0000000007270000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000002.670490935.00000000070C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVelcoHvurJzSrWOaHpKEnnVWLqW.exe4 vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000000.642028343.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
                    Source: svchost[1].exeBinary or memory string: OriginalFilename vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVelcoHvurJzSrWOaHpKEnnVWLqW.exe4 vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906391605.0000000000F58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906825657.00000000012A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906252484.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
                    Source: svchost[1].exeBinary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
                    Source: svchost[1].exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: svchost[1].exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 5.2.svchost[1].exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.svchost[1].exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/2
                    Source: C:\Users\user\Desktop\svchost[1].exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost[1].exe.logJump to behavior
                    Source: svchost[1].exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\svchost[1].exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: svchost[1].exeVirustotal: Detection: 15%
                    Source: svchost[1].exeReversingLabs: Detection: 16%
                    Source: unknownProcess created: C:\Users\user\Desktop\svchost[1].exe 'C:\Users\user\Desktop\svchost[1].exe'
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exeJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: svchost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: svchost[1].exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00688523 push dword ptr [esi+3Fh]; iretd 0_2_00688535
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00675683 push es; retf 0_2_00675684
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_0068928F push FFFFFFD9h; iretd 0_2_006892AC
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1FD7 push D0456990h; retf 0_2_04AA1FDC
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AE8523 push dword ptr [esi+3Fh]; iretd 5_2_00AE8535
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AE928F push FFFFFFD9h; iretd 5_2_00AE92AC
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AD5683 push es; retf 5_2_00AD5684
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_0131E0C2 push es; ret 5_2_0131E0D0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016ACD51 push esp; iretd 5_2_016ACD5D
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_055A5157 push eax; ret 5_2_055A5165
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.56739593384
                    Source: C:\Users\user\Desktop\svchost[1].exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00674CAE sldt word ptr [eax]0_2_00674CAE
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeWindow / User API: threadDelayed 962Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeWindow / User API: threadDelayed 8893Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6960Thread sleep time: -103561s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 7000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6512Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6516Thread sleep count: 962 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6516Thread sleep count: 8893 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 103561Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\svchost[1].exeMemory written: C:\Users\user\Desktop\svchost[1].exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exeJump to behavior
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Users\user\Desktop\svchost[1].exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Users\user\Desktop\svchost[1].exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 5872, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3c80048.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.svchost[1].exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 5872, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 5872, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3c80048.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.svchost[1].exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    svchost[1].exe16%VirustotalBrowse
                    svchost[1].exe17%ReversingLabsWin32.Trojan.AgentTesla
                    svchost[1].exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.2.svchost[1].exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.founder.com.cn/cnZ0%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://97E09xoEksglOT.net0%Avira URL Cloudsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    https://api.ipify.org%$0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn00%Avira URL Cloudsafe
                    http://smtp.lpsinvest.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://AFplKq.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.lpsinvest.com
                    5.10.29.169
                    truetrue
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.fontbureau.com/designersGsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers?svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                            high
                            https://dist.nuget.org/win-x86-commandline/latest/nuget.exesvchost[1].exefalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpfalse
                                high
                                http://www.tiro.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designerssvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csssvchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.sajatypeworks.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cn/cThesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleasesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://api.ipify.org%GETMozilla/5.0svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    low
                                    http://www.ascendercorp.com/typedesigners.htmlsvchost[1].exe, 00000000.00000003.649388172.0000000005B0D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipsvchost[1].exefalse
                                      high
                                      http://www.fonts.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sandoll.co.krsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cnZsvchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.urwpp.deDPleasesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost[1].exe, 00000000.00000002.665163215.0000000002A31000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sakkal.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsvchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://97E09xoEksglOT.netsvchost[1].exe, 00000005.00000002.908431013.00000000033D4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908461023.00000000033E4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908377566.000000000339D000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908473952.00000000033EA000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.com=svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://www.apache.org/licenses/LICENSE-2.0svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.fontbureau.comsvchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpfalse
                                              high
                                              http://DynDns.comDynDNSsvchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sajatypeworks.comtsvchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hasvchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://github.com/d-haxton/HaxtonBot/archive/master.zipsvchost[1].exefalse
                                                high
                                                http://www.fontbureau.comasvchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://api.ipify.org%$svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                low
                                                http://www.carterandcone.comlsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.founder.com.cn/cn/svchost[1].exe, 00000000.00000003.647329385.0000000005AD8000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.647395558.0000000005AD6000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.founder.com.cn/cnsvchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.founder.com.cn/cn0svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://smtp.lpsinvest.comsvchost[1].exe, 00000005.00000002.908445459.00000000033DA000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.jiyu-kobo.co.jp/svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://AFplKq.comsvchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers8svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.founder.com.cn/cnd:svchost[1].exe, 00000000.00000003.646976353.0000000005ADE000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      5.10.29.169
                                                      smtp.lpsinvest.comUnited Kingdom
                                                      60610EVEREST-ASGBtrue

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:383988
                                                      Start date:08.04.2021
                                                      Start time:13:42:42
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 2s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:svchost[1].exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:20
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 0.1% (good quality ratio 0%)
                                                      • Quality average: 17.8%
                                                      • Quality standard deviation: 31.4%
                                                      HCA Information:
                                                      • Successful, ratio: 99%
                                                      • Number of executed functions: 67
                                                      • Number of non-executed functions: 22
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.54.113.53, 52.147.198.201, 52.255.188.83, 20.50.102.62, 23.10.249.26, 23.10.249.43, 13.88.21.125, 52.155.217.156, 20.54.26.129, 20.82.210.154, 104.43.193.48
                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      13:43:36API Interceptor720x Sleep call for process: svchost[1].exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      5.10.29.169PAGO.xlsxGet hashmaliciousBrowse
                                                        78jqVxp7pl.exeGet hashmaliciousBrowse
                                                          AhJ6Pqv5Ik.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Trojan.PackedNET.598.11918.exeGet hashmaliciousBrowse
                                                              179422427-105719-sanlccjavap0003-1.pdf.exeGet hashmaliciousBrowse
                                                                6wYAsx4N91.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Trojan.Win32.Save.a.2641.exeGet hashmaliciousBrowse
                                                                    Transf. ppto 310404.xlsxGet hashmaliciousBrowse
                                                                      PAGO.xlsxGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        smtp.lpsinvest.comPAGO.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        78jqVxp7pl.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        EVEREST-ASGBPAGO.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        78jqVxp7pl.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        AhJ6Pqv5Ik.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        SecuriteInfo.com.Trojan.PackedNET.598.11918.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        179422427-105719-sanlccjavap0003-1.pdf.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        6wYAsx4N91.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.2641.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        Transf. ppto 310404.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        PAGO.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost[1].exe.log
                                                                        Process:C:\Users\user\Desktop\svchost[1].exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1314
                                                                        Entropy (8bit):5.350128552078965
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.231779565509928
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:svchost[1].exe
                                                                        File size:908800
                                                                        MD5:f31b0e7d038ed9d64be2c6ef94fa5171
                                                                        SHA1:a4311ea256fb28fa7815249f43c903641c7114da
                                                                        SHA256:30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e
                                                                        SHA512:45c21e3bf159c80ed6978a92134397074cafec0e5239660c5c691ef3769764209922fec772612c61e12d45a3c157e69264c3bcd89d3cd1ec142778e42b76de01
                                                                        SSDEEP:12288:SSLIIK2eESKnuHOvMUUzui2KrbCR4MzRBMuWRTIv/YLOn8gsIKUvE+:SSEIVfuuU/zbCxz4FYwankIc
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.n`..............P......F........... ........@.. .......................@............@................................

                                                                        File Icon

                                                                        Icon Hash:e8d4ae708e8ec461

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4ab49a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x606EB279 [Thu Apr 8 07:36:25 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xab4480x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x34234.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xa94a00xa9600False0.794058464022data7.56739593384IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xac0000x342340x34400False0.389905427632data5.76174565278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0xac2200x521ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_ICON0xb14500x6f5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_ICON0xb83bc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xc8bf40x94a8data
                                                                        RT_ICON0xd20ac0x5488data
                                                                        RT_ICON0xd75440x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294902528
                                                                        RT_ICON0xdb77c0x25a8data
                                                                        RT_ICON0xddd340x10a8data
                                                                        RT_ICON0xdedec0x988data
                                                                        RT_ICON0xdf7840x468GLS_BINARY_LSB_FIRST
                                                                        RT_GROUP_ICON0xdfbfc0x92data
                                                                        RT_VERSION0xdfca00x392data
                                                                        RT_MANIFEST0xe00440x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2016 Computer City
                                                                        Assembly Version1.12.0.2
                                                                        InternalNameCreateRangesd9.exe
                                                                        FileVersion1.12.0.2
                                                                        CompanyNameComputer City
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameUnmanagedAccessor
                                                                        ProductVersion1.12.0.2
                                                                        FileDescriptionUnmanagedAccessor
                                                                        OriginalFilenameCreateRangesd9.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-13:45:21.100935TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49764587192.168.2.45.10.29.169

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:45:20.774466991 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.809410095 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.809658051 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.843045950 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.843540907 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.876821041 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.878261089 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.911379099 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.911873102 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.945014954 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.945971012 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.980176926 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.982388020 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.016210079 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.016686916 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.099493027 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.100934982 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.101042986 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.101499081 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.101574898 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.134054899 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.134463072 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.134802103 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.174755096 CEST49764587192.168.2.45.10.29.169

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:43:21.360517979 CEST4971453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:21.373454094 CEST53497148.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:22.819057941 CEST5802853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:22.838268995 CEST53580288.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:36.506131887 CEST5309753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:36.518707991 CEST53530978.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:44.738883972 CEST4925753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:44.751890898 CEST53492578.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:46.826216936 CEST6238953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:46.839076042 CEST53623898.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:47.449106932 CEST4991053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:47.462033987 CEST53499108.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:48.538242102 CEST5585453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:48.551193953 CEST53558548.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:49.187021017 CEST6454953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:49.200397968 CEST53645498.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:54.371588945 CEST6315353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:54.384330034 CEST53631538.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:58.241430044 CEST5299153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:58.260020971 CEST53529918.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:02.131122112 CEST5370053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:02.143009901 CEST53537008.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:02.813589096 CEST5172653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:02.826136112 CEST53517268.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:03.807391882 CEST5679453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:03.820637941 CEST53567948.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:05.897753000 CEST5653453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:05.910046101 CEST53565348.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:06.852571011 CEST5662753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:06.865803957 CEST53566278.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:10.494389057 CEST5662153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:10.507993937 CEST53566218.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:11.561630011 CEST6311653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:11.660725117 CEST53631168.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:12.150500059 CEST6407853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:12.178684950 CEST6480153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:12.191378117 CEST53648018.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:12.392133951 CEST53640788.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:12.849486113 CEST6172153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:12.992903948 CEST53617218.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:13.263180017 CEST5125553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:13.289325953 CEST53512558.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:13.376241922 CEST6152253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:13.389256001 CEST53615228.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:13.793956995 CEST5233753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:13.807368994 CEST53523378.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:14.212326050 CEST5504653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:15.216603994 CEST5504653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:15.349567890 CEST53550468.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:15.696815968 CEST4961253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:15.709959984 CEST53496128.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:16.316134930 CEST4928553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:16.329654932 CEST53492858.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:17.454092026 CEST5060153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:17.467392921 CEST53506018.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:18.156184912 CEST6087553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:18.169085026 CEST53608758.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:21.910017014 CEST5644853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:21.922573090 CEST53564488.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:22.993221045 CEST5917253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:23.005882025 CEST53591728.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:24.075020075 CEST6242053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:24.087544918 CEST53624208.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:28.624958038 CEST6057953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:28.660696983 CEST53605798.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:29.063834906 CEST5018353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:29.079916000 CEST53501838.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:30.455490112 CEST6153153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:30.467747927 CEST53615318.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:31.131867886 CEST4922853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:31.145515919 CEST53492288.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:45:03.703135967 CEST5979453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:45:03.735781908 CEST53597948.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:45:05.588020086 CEST5591653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:45:05.601299047 CEST53559168.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:45:20.593401909 CEST5275253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:45:20.638649940 CEST53527528.8.8.8192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 13:45:20.593401909 CEST192.168.2.48.8.8.80x2ebeStandard query (0)smtp.lpsinvest.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 13:45:20.638649940 CEST8.8.8.8192.168.2.40x2ebeNo error (0)smtp.lpsinvest.com5.10.29.169A (IP address)IN (0x0001)

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        Apr 8, 2021 13:45:20.843045950 CEST587497645.10.29.169192.168.2.4220 mail.elixir.eu.com
                                                                        Apr 8, 2021 13:45:20.843540907 CEST49764587192.168.2.45.10.29.169EHLO 284992
                                                                        Apr 8, 2021 13:45:20.876821041 CEST587497645.10.29.169192.168.2.4250-mail.elixir.eu.com Hello [185.32.222.8]
                                                                        250-SIZE 31457280
                                                                        250-AUTH LOGIN CRAM-MD5
                                                                        250-STARTTLS
                                                                        250-8BITMIME
                                                                        250 OK
                                                                        Apr 8, 2021 13:45:20.878261089 CEST49764587192.168.2.45.10.29.169AUTH login aGVsaW9AbHBzaW52ZXN0LmNvbQ==
                                                                        Apr 8, 2021 13:45:20.911379099 CEST587497645.10.29.169192.168.2.4334 UGFzc3dvcmQ6
                                                                        Apr 8, 2021 13:45:20.945014954 CEST587497645.10.29.169192.168.2.4235 Authentication successful
                                                                        Apr 8, 2021 13:45:20.945971012 CEST49764587192.168.2.45.10.29.169MAIL FROM:<helio@lpsinvest.com>
                                                                        Apr 8, 2021 13:45:20.980176926 CEST587497645.10.29.169192.168.2.4250 OK <helio@lpsinvest.com> Sender ok
                                                                        Apr 8, 2021 13:45:20.982388020 CEST49764587192.168.2.45.10.29.169RCPT TO:<helio@lpsinvest.com>
                                                                        Apr 8, 2021 13:45:21.016210079 CEST587497645.10.29.169192.168.2.4250 OK <helio@lpsinvest.com> Recipient ok
                                                                        Apr 8, 2021 13:45:21.016686916 CEST49764587192.168.2.45.10.29.169DATA
                                                                        Apr 8, 2021 13:45:21.099493027 CEST587497645.10.29.169192.168.2.4354 Start mail input; end with <CRLF>.<CRLF>
                                                                        Apr 8, 2021 13:45:21.101574898 CEST49764587192.168.2.45.10.29.169.
                                                                        Apr 8, 2021 13:45:21.134802103 CEST587497645.10.29.169192.168.2.4250 OK

                                                                        Code Manipulations

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Start time:13:43:27
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\svchost[1].exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\svchost[1].exe'
                                                                        Imagebase:0x670000
                                                                        File size:908800 bytes
                                                                        MD5 hash:F31B0E7D038ED9D64BE2C6EF94FA5171
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Start time:13:43:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\svchost[1].exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\svchost[1].exe
                                                                        Imagebase:0xad0000
                                                                        File size:908800 bytes
                                                                        MD5 hash:F31B0E7D038ED9D64BE2C6EF94FA5171
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:13.2%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:5.2%
                                                                          Total number of Nodes:385
                                                                          Total number of Limit Nodes:15

                                                                          Graph

                                                                          execution_graph 23800 4aa6e78 23801 4aa7003 23800->23801 23803 4aa6e9e 23800->23803 23803->23801 23807 10daadc 23803->23807 23810 10daad0 23803->23810 23814 10de161 SetWindowLongW 23803->23814 23816 4aa3c18 23803->23816 23808 10de168 SetWindowLongW 23807->23808 23809 10de1d4 23808->23809 23809->23803 23811 10daad5 SetWindowLongW 23810->23811 23813 10de1d4 23811->23813 23813->23803 23815 10de1d4 23814->23815 23815->23803 23817 4aa70f8 PostMessageW 23816->23817 23818 4aa7164 23817->23818 23818->23803 24160 4aa47de 24164 4aa5410 24160->24164 24177 4aa5401 24160->24177 24161 4aa47f0 24165 4aa542d 24164->24165 24166 4aa5456 24165->24166 24190 4aa5ca7 24165->24190 24195 4aa64f6 24165->24195 24199 4aa5cb1 24165->24199 24204 4aa63e3 24165->24204 24208 4aa6473 24165->24208 24213 4aa6842 24165->24213 24217 4aa67d2 24165->24217 24222 4aa601f 24165->24222 24226 4aa6939 24165->24226 24230 4aa5b7b 24165->24230 24166->24161 24178 4aa542d 24177->24178 24179 4aa5456 24178->24179 24180 4aa5b7b 2 API calls 24178->24180 24181 4aa6939 2 API calls 24178->24181 24182 4aa601f 2 API calls 24178->24182 24183 4aa67d2 2 API calls 24178->24183 24184 4aa6842 2 API calls 24178->24184 24185 4aa6473 4 API calls 24178->24185 24186 4aa63e3 2 API calls 24178->24186 24187 4aa5cb1 4 API calls 24178->24187 24188 4aa64f6 4 API calls 24178->24188 24189 4aa5ca7 4 API calls 24178->24189 24179->24161 24180->24179 24181->24179 24182->24179 24183->24179 24184->24179 24185->24179 24186->24179 24187->24179 24188->24179 24189->24179 24191 4aa5caa 24190->24191 24234 4aa3af8 24191->24234 24240 4aa3b00 24191->24240 24192 4aa5d14 24197 4aa3af8 2 API calls 24195->24197 24198 4aa3b00 2 API calls 24195->24198 24196 4aa651a 24197->24196 24198->24196 24200 4aa5cb4 24199->24200 24202 4aa3af8 2 API calls 24200->24202 24203 4aa3b00 2 API calls 24200->24203 24201 4aa5d14 24202->24201 24203->24201 24246 4aa32c9 24204->24246 24250 4aa32d0 24204->24250 24205 4aa63ff 24209 4aa6479 24208->24209 24211 4aa3af8 2 API calls 24209->24211 24212 4aa3b00 2 API calls 24209->24212 24210 4aa64ab 24211->24210 24212->24210 24254 4aa3fea 24213->24254 24258 4aa3ff0 24213->24258 24214 4aa6864 24218 4aa67e4 24217->24218 24262 4aa3a38 24218->24262 24266 4aa3a40 24218->24266 24219 4aa6816 24270 4aa3968 24222->24270 24274 4aa393f 24222->24274 24223 4aa6039 24278 4aa4188 24226->24278 24282 4aa417f 24226->24282 24232 4aa3968 SetThreadContext 24230->24232 24233 4aa393f SetThreadContext 24230->24233 24231 4aa5b95 24232->24231 24233->24231 24235 4aa3afa WriteProcessMemory 24234->24235 24237 4aa3b9f 24235->24237 24238 4aa3ba6 SHPackDispParamsV 24235->24238 24237->24238 24239 4aa3bbc 24238->24239 24239->24192 24241 4aa3b48 WriteProcessMemory 24240->24241 24243 4aa3b9f 24241->24243 24244 4aa3ba6 SHPackDispParamsV 24241->24244 24243->24244 24245 4aa3bbc 24244->24245 24245->24192 24247 4aa3310 ResumeThread 24246->24247 24249 4aa3341 24247->24249 24249->24205 24251 4aa3310 ResumeThread 24250->24251 24253 4aa3341 24251->24253 24253->24205 24255 4aa403b ReadProcessMemory 24254->24255 24257 4aa407f 24255->24257 24257->24214 24259 4aa403b ReadProcessMemory 24258->24259 24261 4aa407f 24259->24261 24261->24214 24263 4aa3a80 VirtualAllocEx 24262->24263 24265 4aa3abd 24263->24265 24265->24219 24267 4aa3a80 VirtualAllocEx 24266->24267 24269 4aa3abd 24267->24269 24269->24219 24271 4aa39ad SetThreadContext 24270->24271 24273 4aa39f5 24271->24273 24273->24223 24275 4aa39ad SetThreadContext 24274->24275 24277 4aa39f5 24275->24277 24277->24223 24279 4aa4211 24278->24279 24279->24279 24280 4aa4376 CreateProcessA 24279->24280 24281 4aa43d3 24280->24281 24283 4aa4211 24282->24283 24283->24283 24284 4aa4376 CreateProcessA 24283->24284 24285 4aa43d3 24284->24285 23819 10de0d8 23820 10de0fe 23819->23820 23825 10de138 23819->23825 23828 10de129 23819->23828 23831 10ddcc4 23820->23831 23822 10de10a 23826 10de150 23825->23826 23827 10daadc SetWindowLongW 23825->23827 23826->23820 23827->23826 23829 10daadc SetWindowLongW 23828->23829 23830 10de150 23829->23830 23830->23820 23832 10ddccf 23831->23832 23835 10ddcf4 23832->23835 23834 10de217 23834->23822 23836 10ddcff 23835->23836 23843 10daa14 23836->23843 23840 10de461 23841 10de2a3 23841->23840 23842 10de138 SetWindowLongW 23841->23842 23842->23840 23844 10daa1f 23843->23844 23845 10dd193 23844->23845 23852 10dd3ef 23844->23852 23860 10dd444 23844->23860 23845->23841 23848 10da934 23845->23848 23849 10dbc40 GetModuleHandleW 23848->23849 23851 10dbcb5 23849->23851 23851->23841 23853 10dd3fa 23852->23853 23854 10da934 GetModuleHandleW 23853->23854 23855 10dd50b 23854->23855 23856 10da934 GetModuleHandleW 23855->23856 23859 10dd585 23855->23859 23857 10dd559 23856->23857 23858 10da934 GetModuleHandleW 23857->23858 23857->23859 23858->23859 23859->23845 23862 10dd44b 23860->23862 23861 10dd585 23861->23845 23862->23861 23863 10da934 GetModuleHandleW 23862->23863 23864 10dd50b 23863->23864 23864->23861 23865 10da934 GetModuleHandleW 23864->23865 23866 10dd559 23865->23866 23866->23861 23867 10da934 GetModuleHandleW 23866->23867 23867->23861 24012 10d6668 24013 10d6678 24012->24013 24018 10d66c8 24013->24018 24023 10d678f 24013->24023 24028 10d66d8 24013->24028 24014 10d6689 24019 10d6702 24018->24019 24020 10d67f9 24019->24020 24033 10d6928 24019->24033 24037 10d6938 24019->24037 24020->24014 24024 10d6794 24023->24024 24025 10d67f9 24024->24025 24026 10d6928 5 API calls 24024->24026 24027 10d6938 5 API calls 24024->24027 24025->24014 24026->24025 24027->24025 24029 10d6702 24028->24029 24030 10d67f9 24029->24030 24031 10d6928 5 API calls 24029->24031 24032 10d6938 5 API calls 24029->24032 24030->24014 24031->24030 24032->24030 24034 10d6945 24033->24034 24035 10d697f 24034->24035 24041 10d638c 24034->24041 24035->24020 24038 10d6945 24037->24038 24039 10d697f 24038->24039 24040 10d638c 5 API calls 24038->24040 24039->24020 24040->24039 24042 10d6397 24041->24042 24044 10d7678 24042->24044 24045 10d6c84 24042->24045 24044->24044 24046 10d6c8f 24045->24046 24047 10d6c94 4 API calls 24046->24047 24048 10d76e7 24047->24048 24052 10db6c8 24048->24052 24061 10db6b0 24048->24061 24049 10d7720 24049->24044 24053 10db6f9 24052->24053 24055 10db7eb 24052->24055 24054 10db705 24053->24054 24070 10dba00 24053->24070 24074 10dba10 24053->24074 24054->24049 24055->24049 24056 10db746 24078 10dcd10 24056->24078 24094 10dcd20 24056->24094 24063 10db6f9 24061->24063 24065 10db7eb 24061->24065 24062 10db705 24062->24049 24063->24062 24068 10dba00 4 API calls 24063->24068 24069 10dba10 4 API calls 24063->24069 24064 10db746 24066 10dcd10 2 API calls 24064->24066 24067 10dcd20 2 API calls 24064->24067 24065->24049 24066->24065 24067->24065 24068->24064 24069->24064 24072 10dba50 3 API calls 24070->24072 24073 10dba60 3 API calls 24070->24073 24071 10dba1a 24071->24056 24072->24071 24073->24071 24075 10dba1a 24074->24075 24076 10dba50 3 API calls 24074->24076 24077 10dba60 3 API calls 24074->24077 24075->24056 24076->24075 24077->24075 24079 10dcd4a 24078->24079 24080 10daa14 GetModuleHandleW 24079->24080 24081 10dcdac 24080->24081 24087 10daa14 GetModuleHandleW 24081->24087 24110 10dd220 24081->24110 24115 10dd178 24081->24115 24082 10dcdc8 24083 10da934 GetModuleHandleW 24082->24083 24085 10dcdf1 24082->24085 24084 10dce1b 24083->24084 24121 10dd95c 24084->24121 24125 10dd830 24084->24125 24129 10dd9c1 24084->24129 24133 10dd827 24084->24133 24137 10ddac8 24084->24137 24087->24082 24095 10dcd4a 24094->24095 24096 10daa14 GetModuleHandleW 24095->24096 24097 10dcdac 24096->24097 24102 10dd178 GetModuleHandleW 24097->24102 24103 10daa14 GetModuleHandleW 24097->24103 24104 10dd220 GetModuleHandleW 24097->24104 24098 10dcdc8 24099 10da934 GetModuleHandleW 24098->24099 24101 10dcdf1 24098->24101 24100 10dce1b 24099->24100 24105 10dd95c CreateWindowExW 24100->24105 24106 10ddac8 CreateWindowExW 24100->24106 24107 10dd827 CreateWindowExW 24100->24107 24108 10dd9c1 CreateWindowExW 24100->24108 24109 10dd830 CreateWindowExW 24100->24109 24102->24098 24103->24098 24104->24098 24105->24101 24106->24101 24107->24101 24108->24101 24109->24101 24111 10dd24d 24110->24111 24112 10dd2ce 24111->24112 24113 10dd3ef GetModuleHandleW 24111->24113 24114 10dd444 GetModuleHandleW 24111->24114 24113->24112 24114->24112 24116 10dd193 24115->24116 24117 10dd197 24115->24117 24116->24082 24118 10dd2ce 24117->24118 24119 10dd3ef GetModuleHandleW 24117->24119 24120 10dd444 GetModuleHandleW 24117->24120 24119->24118 24120->24118 24122 10dd96a 24121->24122 24140 10daac4 24122->24140 24126 10dd88c 24125->24126 24127 10daac4 CreateWindowExW 24126->24127 24128 10ddafd 24127->24128 24128->24085 24130 10dd987 24129->24130 24130->24129 24131 10daac4 CreateWindowExW 24130->24131 24132 10ddafd 24131->24132 24132->24085 24134 10dd88c 24133->24134 24135 10daac4 CreateWindowExW 24134->24135 24136 10ddafd 24135->24136 24136->24085 24138 10ddafd 24137->24138 24139 10daac4 CreateWindowExW 24137->24139 24138->24085 24139->24138 24141 10ddb18 CreateWindowExW 24140->24141 24143 10ddc3c 24141->24143 24143->24143 24144 4aa0343 24145 4aa009f 24144->24145 24148 4aa1318 24145->24148 24152 4aa1310 24145->24152 24149 4aa135e OutputDebugStringW 24148->24149 24151 4aa1397 24149->24151 24151->24145 24154 4aa135e OutputDebugStringW 24152->24154 24155 4aa1397 24154->24155 24155->24145 23868 10d6a50 23869 10d6ab6 23868->23869 23873 10d7018 23869->23873 23876 10d7009 23869->23876 23870 10d6b65 23874 10d7046 23873->23874 23882 10d6404 23873->23882 23874->23870 23877 10d707a DuplicateHandle 23876->23877 23878 10d7012 23876->23878 23881 10d7116 23877->23881 23879 10d6404 DuplicateHandle 23878->23879 23880 10d7046 23879->23880 23880->23870 23881->23870 23883 10d7080 DuplicateHandle 23882->23883 23884 10d7116 23883->23884 23884->23874 23885 4fe4ba0 23886 4fe4bbd 23885->23886 23891 4fe43ac 23886->23891 23888 4fe4bca 23895 4fe43dc 23888->23895 23890 4fe4c4d 23892 4fe43b7 23891->23892 23911 4fe43ec 23892->23911 23894 4fe4cde 23894->23888 23896 4fe43e7 23895->23896 23988 4fe720c 23896->23988 23901 4fe720c 4 API calls 23902 4fe7a75 23901->23902 23903 4fe720c 4 API calls 23902->23903 23904 4fe7aa8 23903->23904 23997 4fe7590 23904->23997 23906 4fe7b0e 24002 4fe75a0 23906->24002 23908 4fe7b41 23909 4fe720c 4 API calls 23908->23909 23910 4fe7b74 23909->23910 23910->23890 23912 4fe43f7 23911->23912 23915 4fe440c 23912->23915 23916 4fe4417 23915->23916 23920 10d7b28 23916->23920 23927 10d6c94 23916->23927 23917 4fe4d9a 23917->23894 23921 10d7b27 23920->23921 23921->23920 23922 10d7dc6 23921->23922 23934 4fea208 23921->23934 23938 4fe9500 23921->23938 23942 4fe8fa0 23921->23942 23945 4fe5219 23921->23945 23922->23917 23928 10d6c9f 23927->23928 23929 10d7dc6 23928->23929 23930 4fea208 4 API calls 23928->23930 23931 4fe5219 4 API calls 23928->23931 23932 4fe8fa0 4 API calls 23928->23932 23933 4fe9500 4 API calls 23928->23933 23929->23917 23930->23929 23931->23929 23932->23929 23933->23929 23948 10dba50 23934->23948 23957 10dba60 23934->23957 23935 4fea216 23935->23922 23940 10dba50 3 API calls 23938->23940 23941 10dba60 3 API calls 23938->23941 23939 4fe950e 23939->23922 23940->23939 23941->23939 23980 4fe9008 23942->23980 23943 4fe8fae 23943->23922 23984 4fe5250 23945->23984 23949 10da934 GetModuleHandleW 23948->23949 23950 10dba73 23949->23950 23951 10dba8b 23950->23951 23966 10dbcd8 23950->23966 23971 10dbce8 23950->23971 23951->23935 23952 10dba83 23952->23951 23953 10dbc88 GetModuleHandleW 23952->23953 23954 10dbcb5 23953->23954 23954->23935 23958 10dba73 23957->23958 23959 10da934 GetModuleHandleW 23957->23959 23960 10dba8b 23958->23960 23964 10dbcd8 2 API calls 23958->23964 23965 10dbce8 2 API calls 23958->23965 23959->23958 23960->23935 23961 10dba83 23961->23960 23962 10dbc88 GetModuleHandleW 23961->23962 23963 10dbcb5 23962->23963 23963->23935 23964->23961 23965->23961 23967 10da934 GetModuleHandleW 23966->23967 23968 10dbcfc 23967->23968 23970 10dbd21 23968->23970 23976 10da988 23968->23976 23970->23952 23972 10da934 GetModuleHandleW 23971->23972 23973 10dbcfc 23971->23973 23972->23973 23974 10dbd21 23973->23974 23975 10da988 LoadLibraryExW 23973->23975 23974->23952 23975->23974 23977 10dbec8 LoadLibraryExW 23976->23977 23979 10dbf41 23977->23979 23979->23970 23982 10dba50 3 API calls 23980->23982 23983 10dba60 3 API calls 23980->23983 23981 4fe9017 23981->23943 23982->23981 23983->23981 23986 10dba50 3 API calls 23984->23986 23987 10dba60 3 API calls 23984->23987 23985 4fe522e 23985->23922 23986->23985 23987->23985 23989 4fe7217 23988->23989 24007 4fe7690 23989->24007 23991 4fe7a0f 23992 4fe7570 23991->23992 23993 4fe757b 23992->23993 23995 10d7b28 4 API calls 23993->23995 23996 10d6c94 4 API calls 23993->23996 23994 4fe7a42 23994->23901 23995->23994 23996->23994 23998 4fe759b 23997->23998 24000 10d7b28 4 API calls 23998->24000 24001 10d6c94 4 API calls 23998->24001 23999 4fe9a33 23999->23906 24000->23999 24001->23999 24003 4fe75ab 24002->24003 24004 4fea972 24003->24004 24005 10d7b28 4 API calls 24003->24005 24006 10d6c94 4 API calls 24003->24006 24004->23908 24005->24004 24006->24004 24008 4fe769b 24007->24008 24010 10d7b28 4 API calls 24008->24010 24011 10d6c94 4 API calls 24008->24011 24009 4fe8f0c 24009->23991 24010->24009 24011->24009 24156 4fe0cd0 24157 4fe0d12 24156->24157 24159 4fe0d19 24156->24159 24158 4fe0d6a CallWindowProcW 24157->24158 24157->24159 24158->24159 24286 4fe38c0 24287 4fe38e7 24286->24287 24288 4fe39c4 24287->24288 24290 4fe311c 24287->24290 24291 4fe3d40 CreateActCtxA 24290->24291 24293 4fe3e03 24291->24293

                                                                          Executed Functions

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 115 4aa001b-4aa0068 116 4aa006a 115->116 117 4aa006f-4aa007d 115->117 116->117 118 4aa007f-4aa0091 117->118 119 4aa0093 117->119 120 4aa0096-4aa009d 118->120 119->120 121 4aa009f 120->121 122 4aa00f1-4aa00fe 120->122 123 4aa00a6-4aa00c2 121->123 141 4aa0100-4aa010f 122->141 142 4aa0111-4aa0118 122->142 125 4aa00cb-4aa00cc 123->125 126 4aa00c4 123->126 135 4aa00d1-4aa00ef 125->135 138 4aa0334-4aa036c 125->138 126->121 126->122 127 4aa012a-4aa012d 126->127 128 4aa036e 126->128 129 4aa020c-4aa0252 126->129 130 4aa01bb-4aa01cf 126->130 131 4aa0198-4aa01b6 126->131 132 4aa03bd 126->132 133 4aa039d-4aa03bb 126->133 134 4aa03d2-4aa03d3 126->134 126->135 136 4aa0176 126->136 137 4aa0257 126->137 126->138 139 4aa01d4-4aa01e0 126->139 140 4aa02f4-4aa0301 126->140 150 4aa0138-4aa0153 127->150 144 4aa0375-4aa0391 128->144 129->123 130->123 131->123 182 4aa03c2 call 4aa14e8 132->182 183 4aa03c2 call 4aa14f8 132->183 133->144 134->122 135->123 184 4aa017b call 4aa13b8 136->184 185 4aa017b call 4aa13c8 136->185 148 4aa025d-4aa0260 137->148 138->128 138->132 161 4aa01e2-4aa01f1 139->161 162 4aa01f3-4aa01fa 139->162 159 4aa0303-4aa0312 140->159 160 4aa0314-4aa031b 140->160 143 4aa011f-4aa0125 141->143 142->143 143->123 146 4aa039a-4aa039b 144->146 147 4aa0393 144->147 146->133 146->134 147->128 147->132 147->133 147->134 188 4aa0263 call 4aa1280 148->188 189 4aa0263 call 4aa1290 148->189 190 4aa0159 call 4aa1020 150->190 191 4aa0159 call 4aa1010 150->191 151 4aa03c8-4aa03d0 151->144 152 4aa0181-4aa0193 152->123 167 4aa0322-4aa032f 159->167 160->167 168 4aa0201-4aa0207 161->168 162->168 165 4aa0269-4aa0286 173 4aa0288-4aa029a 165->173 174 4aa02a0 165->174 167->123 168->123 172 4aa015f-4aa0171 172->123 173->174 176 4aa02ac 174->176 186 4aa02b2 call 4aa1318 176->186 187 4aa02b2 call 4aa1310 176->187 177 4aa02b7-4aa02c8 179 4aa02ca-4aa02d9 177->179 180 4aa02db-4aa02e2 177->180 181 4aa02e9-4aa02ef 179->181 180->181 181->123 182->151 183->151 184->152 185->152 186->177 187->177 188->165 189->165 190->172 191->172
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: i@7$x l
                                                                          • API String ID: 0-1977753969
                                                                          • Opcode ID: 4be01db2c19ccaca6ef282d843249e0c8d4ffe8f306c8874f5e71d1cbc4e88a1
                                                                          • Instruction ID: 43d87271351c7786d9f1c2e239d30a7314be43de27dc902111fcacbd4e4b9a95
                                                                          • Opcode Fuzzy Hash: 4be01db2c19ccaca6ef282d843249e0c8d4ffe8f306c8874f5e71d1cbc4e88a1
                                                                          • Instruction Fuzzy Hash: 0FA16F74E18218CFEB14DFB5E988ADDBBB1FF88304F14852AE406A7295EB346951CF14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 192 4aa0040-4aa0068 193 4aa006a 192->193 194 4aa006f-4aa007d 192->194 193->194 195 4aa007f-4aa0091 194->195 196 4aa0093 194->196 197 4aa0096-4aa009d 195->197 196->197 198 4aa009f 197->198 199 4aa00f1-4aa00fe 197->199 200 4aa00a6-4aa00c2 198->200 218 4aa0100-4aa010f 199->218 219 4aa0111-4aa0118 199->219 202 4aa00cb-4aa00cc 200->202 203 4aa00c4 200->203 212 4aa00d1-4aa00ef 202->212 215 4aa0334-4aa036c 202->215 203->198 203->199 204 4aa012a-4aa012d 203->204 205 4aa036e 203->205 206 4aa020c-4aa0252 203->206 207 4aa01bb-4aa01cf 203->207 208 4aa0198-4aa01b6 203->208 209 4aa03bd 203->209 210 4aa039d-4aa03bb 203->210 211 4aa03d2-4aa03d3 203->211 203->212 213 4aa0176 203->213 214 4aa0257 203->214 203->215 216 4aa01d4-4aa01e0 203->216 217 4aa02f4-4aa0301 203->217 227 4aa0138-4aa0153 204->227 221 4aa0375-4aa0391 205->221 206->200 207->200 208->200 263 4aa03c2 call 4aa14e8 209->263 264 4aa03c2 call 4aa14f8 209->264 210->221 211->199 212->200 265 4aa017b call 4aa13b8 213->265 266 4aa017b call 4aa13c8 213->266 225 4aa025d-4aa0260 214->225 215->205 215->209 238 4aa01e2-4aa01f1 216->238 239 4aa01f3-4aa01fa 216->239 236 4aa0303-4aa0312 217->236 237 4aa0314-4aa031b 217->237 220 4aa011f-4aa0125 218->220 219->220 220->200 223 4aa039a-4aa039b 221->223 224 4aa0393 221->224 223->210 223->211 224->205 224->209 224->210 224->211 259 4aa0263 call 4aa1280 225->259 260 4aa0263 call 4aa1290 225->260 261 4aa0159 call 4aa1020 227->261 262 4aa0159 call 4aa1010 227->262 228 4aa03c8-4aa03d0 228->221 229 4aa0181-4aa0193 229->200 244 4aa0322-4aa032f 236->244 237->244 245 4aa0201-4aa0207 238->245 239->245 242 4aa0269-4aa0286 250 4aa0288-4aa029a 242->250 251 4aa02a0 242->251 244->200 245->200 249 4aa015f-4aa0171 249->200 250->251 253 4aa02ac 251->253 267 4aa02b2 call 4aa1318 253->267 268 4aa02b2 call 4aa1310 253->268 254 4aa02b7-4aa02c8 256 4aa02ca-4aa02d9 254->256 257 4aa02db-4aa02e2 254->257 258 4aa02e9-4aa02ef 256->258 257->258 258->200 259->242 260->242 261->249 262->249 263->228 264->228 265->229 266->229 267->254 268->254
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: i@7$x l
                                                                          • API String ID: 0-1977753969
                                                                          • Opcode ID: b0565bbf70e3247b5f98ef7a362b4681e357dd23ac56c84c1ad9153eff836b7f
                                                                          • Instruction ID: afcd6727aa7dd91750ba43ee58452711b8f8a71fcbf1fda63edf2f11edcfb5c4
                                                                          • Opcode Fuzzy Hash: b0565bbf70e3247b5f98ef7a362b4681e357dd23ac56c84c1ad9153eff836b7f
                                                                          • Instruction Fuzzy Hash: 99A12A70E18218DFDB14DFA5E988ADDFBB1FF89304F10852AE406AB295EB346851CF14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: i@7
                                                                          • API String ID: 0-4109268666
                                                                          • Opcode ID: d024866aa7892ff761e4d9a0c3cf03d0f9cc814715750cb21e20c39e750d5f5c
                                                                          • Instruction ID: 715680c52e7928454d241810541af42549bd7c8e51914ee8f3292f232e497f6f
                                                                          • Opcode Fuzzy Hash: d024866aa7892ff761e4d9a0c3cf03d0f9cc814715750cb21e20c39e750d5f5c
                                                                          • Instruction Fuzzy Hash: E3812D74E18218DFDB14DFA5E988ADDBBB1FF88304F14852AE406E7294EB346951CF14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.668879465.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4fe0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 837f6c022e3755c0813a88249bab44de0a9aa4a13d86b8a3f3771acdaa91feb8
                                                                          • Instruction ID: 5949b480a430a95dbfd690950f51a310ff4001e8655bfdf3664a433454ccfabc
                                                                          • Opcode Fuzzy Hash: 837f6c022e3755c0813a88249bab44de0a9aa4a13d86b8a3f3771acdaa91feb8
                                                                          • Instruction Fuzzy Hash: A4A2A134A41219CFEB54EF24C894E99B7B1FF4A305F1186E9E50AAB360DB31AD85CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b1fe20f4c1299eb9566efa67a4f353471add70e62202d6688b6196cfac5c741b
                                                                          • Instruction ID: 1568eb0a696c7af45dd16f2fc001448f0232b049fbcbc82e7746c7037c5b7852
                                                                          • Opcode Fuzzy Hash: b1fe20f4c1299eb9566efa67a4f353471add70e62202d6688b6196cfac5c741b
                                                                          • Instruction Fuzzy Hash: 8E525A31A00719CFDB15CF68C880AAEB7B2FF45308F5684A9E959AB251D771FD85CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: af0af404e467d177073e08822d8a48977ef096e1ebfddb2baed5904ed67278da
                                                                          • Instruction ID: 9ff7fcc2286a1c3333b44a679faab84cdd14cc0acbfbb3037d64b6a3f461ecf0
                                                                          • Opcode Fuzzy Hash: af0af404e467d177073e08822d8a48977ef096e1ebfddb2baed5904ed67278da
                                                                          • Instruction Fuzzy Hash: C3D1A7707017058FEB19EF76C450BAEB7F6AF88704F14886DD18A9B290DB39E906CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: ec0577bc55f1d71997312d98dd6a3e00df3496438fd619af544164dc4014be7a
                                                                          • Instruction ID: e82d5d95dc3ba79f6fdb6e83494f437030a03a9b5b452d71c4864745a37a4b6e
                                                                          • Opcode Fuzzy Hash: ec0577bc55f1d71997312d98dd6a3e00df3496438fd619af544164dc4014be7a
                                                                          • Instruction Fuzzy Hash: 93919C75E00319CFCB04DBA4D854AEDBBBAFF89304F558215E516AF3A4EB30A945CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 5c3416b4246241249f615f4a7410a8c38f95be07a13173ecf1f43faee52769c0
                                                                          • Instruction ID: 21582df53a2373f895168d760f066cf074b664dca671d0b7d41236f41715674a
                                                                          • Opcode Fuzzy Hash: 5c3416b4246241249f615f4a7410a8c38f95be07a13173ecf1f43faee52769c0
                                                                          • Instruction Fuzzy Hash: 6B819C35E10319DFCB04DBE0D8549DDBBBAFF89304F158215E516AF2A4EB30A985CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 37ba5790b9ee890063785cc1e8a30d5b0b0f2e15c7389d08b4fa38ca5e1ddb52
                                                                          • Instruction ID: 9df2d72d73fb7ccf7bdb4050fdb14d91c3131e5b4c40930def5790d66292aff5
                                                                          • Opcode Fuzzy Hash: 37ba5790b9ee890063785cc1e8a30d5b0b0f2e15c7389d08b4fa38ca5e1ddb52
                                                                          • Instruction Fuzzy Hash: 1F819935E10319DFCB04DBE4D8549DDBBBAFF89304F158215E516AF2A4EB30A985CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8fb2a5a811e548f30891b7483a464d75fd66aa0fa00d86dc05c33d85ddd95d03
                                                                          • Instruction ID: 7eafa2486a86c631b50700ddfd5fbd3a156c534a2a7e24291ba699a642ad5d92
                                                                          • Opcode Fuzzy Hash: 8fb2a5a811e548f30891b7483a464d75fd66aa0fa00d86dc05c33d85ddd95d03
                                                                          • Instruction Fuzzy Hash: 60115A71D062188FCB049FA5D9197FEBBF0BB0A311F04906AD455B7290C7785995CF64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8fa7e9e0cb2ede6e2530e9c74be7f8f594845c520945f2c9044557233362b86e
                                                                          • Instruction ID: eb4aedbc8142460686154f62c8352fad303f1472ed0cd9f2cb7aae178f3d8af7
                                                                          • Opcode Fuzzy Hash: 8fa7e9e0cb2ede6e2530e9c74be7f8f594845c520945f2c9044557233362b86e
                                                                          • Instruction Fuzzy Hash: 25115730D052188BCB14DFA6C808BFEBAF1BB4E301F14906AE415B3290D778AA54CF68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a827c9bea41ebdc09728489154951c3d85cfcb15a8d78637082d15968edf341a
                                                                          • Instruction ID: 8f9acca423c7346085cb6a12230af30ef084b39e60a7bdc1cf83c9503d95a60e
                                                                          • Opcode Fuzzy Hash: a827c9bea41ebdc09728489154951c3d85cfcb15a8d78637082d15968edf341a
                                                                          • Instruction Fuzzy Hash: 56E0227198D2898FD300AFA0CC186BABFB0EB07246F04508EC051FB251E3BCA615DB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04AA3B90
                                                                          • SHPackDispParamsV.SHLWAPI(?,?,00000000,?), ref: 04AA3BAF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DispMemoryPackParamsProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 1677857715-0
                                                                          • Opcode ID: 8c69d358969a807c3b22d795b7d68e11aea024c8960343ffd0a8f9d842ab3d6f
                                                                          • Instruction ID: e67e31df371ce28f40acd89afc3692d57e3523820ead102250d914cee364aa6a
                                                                          • Opcode Fuzzy Hash: 8c69d358969a807c3b22d795b7d68e11aea024c8960343ffd0a8f9d842ab3d6f
                                                                          • Instruction Fuzzy Hash: B82125B69003099FCF00CFA9C985BDEBBF5BF48314F04842AE959A7250C7B8A554CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 11 4aa3b00-4aa3b4e 13 4aa3b5e-4aa3b9d WriteProcessMemory 11->13 14 4aa3b50-4aa3b5c 11->14 16 4aa3b9f-4aa3ba5 13->16 17 4aa3ba6-4aa3bd6 SHPackDispParamsV 13->17 14->13 16->17
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04AA3B90
                                                                          • SHPackDispParamsV.SHLWAPI(?,?,00000000,?), ref: 04AA3BAF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DispMemoryPackParamsProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 1677857715-0
                                                                          • Opcode ID: e4803c683adea632cd1dc8676708b75d5ed9ed80dd086e12f7b0b9a6b7f3300c
                                                                          • Instruction ID: 55e62c221a3a7c2f0e9c10f3a11f1ad8cd4546d8afed414b479dd4fe01d741c3
                                                                          • Opcode Fuzzy Hash: e4803c683adea632cd1dc8676708b75d5ed9ed80dd086e12f7b0b9a6b7f3300c
                                                                          • Instruction Fuzzy Hash: 5E21F5719002599FCF10CFA9C884BDEBBF5FB48314F148429E959A7240D779A954CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 365 4aa4188-4aa421d 367 4aa421f-4aa4229 365->367 368 4aa4256-4aa4276 365->368 367->368 369 4aa422b-4aa422d 367->369 373 4aa4278-4aa4282 368->373 374 4aa42af-4aa42de 368->374 371 4aa422f-4aa4239 369->371 372 4aa4250-4aa4253 369->372 375 4aa423b 371->375 376 4aa423d-4aa424c 371->376 372->368 373->374 377 4aa4284-4aa4286 373->377 384 4aa42e0-4aa42ea 374->384 385 4aa4317-4aa43d1 CreateProcessA 374->385 375->376 376->376 378 4aa424e 376->378 379 4aa4288-4aa4292 377->379 380 4aa42a9-4aa42ac 377->380 378->372 382 4aa4296-4aa42a5 379->382 383 4aa4294 379->383 380->374 382->382 386 4aa42a7 382->386 383->382 384->385 387 4aa42ec-4aa42ee 384->387 396 4aa43da-4aa4460 385->396 397 4aa43d3-4aa43d9 385->397 386->380 388 4aa42f0-4aa42fa 387->388 389 4aa4311-4aa4314 387->389 391 4aa42fe-4aa430d 388->391 392 4aa42fc 388->392 389->385 391->391 393 4aa430f 391->393 392->391 393->389 407 4aa4462-4aa4466 396->407 408 4aa4470-4aa4474 396->408 397->396 407->408 409 4aa4468 407->409 410 4aa4476-4aa447a 408->410 411 4aa4484-4aa4488 408->411 409->408 410->411 414 4aa447c 410->414 412 4aa448a-4aa448e 411->412 413 4aa4498-4aa449c 411->413 412->413 415 4aa4490 412->415 416 4aa44ae-4aa44b5 413->416 417 4aa449e-4aa44a4 413->417 414->411 415->413 418 4aa44cc 416->418 419 4aa44b7-4aa44c6 416->419 417->416 421 4aa44cd 418->421 419->418 421->421
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AA43BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 660bdbfa9c4a30f8a7d6a5b74de9521033ee1d591f5e01546ff7ee53963af7b4
                                                                          • Instruction ID: 49238da33e6f6a0a4cb97482eea30753327c68bdb402d1487c5557cbc2be29b2
                                                                          • Opcode Fuzzy Hash: 660bdbfa9c4a30f8a7d6a5b74de9521033ee1d591f5e01546ff7ee53963af7b4
                                                                          • Instruction Fuzzy Hash: 52916D71D00219DFEF14CFA9C8807EDBBB2BF48318F058569E819A7240DBB4A995CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 308 4aa417f-4aa421d 310 4aa421f-4aa4229 308->310 311 4aa4256-4aa4276 308->311 310->311 312 4aa422b-4aa422d 310->312 316 4aa4278-4aa4282 311->316 317 4aa42af-4aa42de 311->317 314 4aa422f-4aa4239 312->314 315 4aa4250-4aa4253 312->315 318 4aa423b 314->318 319 4aa423d-4aa424c 314->319 315->311 316->317 320 4aa4284-4aa4286 316->320 327 4aa42e0-4aa42ea 317->327 328 4aa4317-4aa43d1 CreateProcessA 317->328 318->319 319->319 321 4aa424e 319->321 322 4aa4288-4aa4292 320->322 323 4aa42a9-4aa42ac 320->323 321->315 325 4aa4296-4aa42a5 322->325 326 4aa4294 322->326 323->317 325->325 329 4aa42a7 325->329 326->325 327->328 330 4aa42ec-4aa42ee 327->330 339 4aa43da-4aa4460 328->339 340 4aa43d3-4aa43d9 328->340 329->323 331 4aa42f0-4aa42fa 330->331 332 4aa4311-4aa4314 330->332 334 4aa42fe-4aa430d 331->334 335 4aa42fc 331->335 332->328 334->334 336 4aa430f 334->336 335->334 336->332 350 4aa4462-4aa4466 339->350 351 4aa4470-4aa4474 339->351 340->339 350->351 352 4aa4468 350->352 353 4aa4476-4aa447a 351->353 354 4aa4484-4aa4488 351->354 352->351 353->354 357 4aa447c 353->357 355 4aa448a-4aa448e 354->355 356 4aa4498-4aa449c 354->356 355->356 358 4aa4490 355->358 359 4aa44ae-4aa44b5 356->359 360 4aa449e-4aa44a4 356->360 357->354 358->356 361 4aa44cc 359->361 362 4aa44b7-4aa44c6 359->362 360->359 364 4aa44cd 361->364 362->361 364->364
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AA43BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 34bc6ab795a000bdafce950f2846a68ef4e9f5dec6d09d29cae190bae36c0972
                                                                          • Instruction ID: c8de6d52908d03eb9f361a92dc9f51fa970edd391ec2f4b17009839bdd1598b2
                                                                          • Opcode Fuzzy Hash: 34bc6ab795a000bdafce950f2846a68ef4e9f5dec6d09d29cae190bae36c0972
                                                                          • Instruction Fuzzy Hash: 2D916D71D00219DFEF14CFA8C8817EDBBB2BF48318F058569E819A7240DBB4A995CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 422 10dba60-10dba68 423 10dba73-10dba75 422->423 424 10dba6e call 10da934 422->424 425 10dba8b-10dba8f 423->425 426 10dba77 423->426 424->423 427 10dba91-10dba9b 425->427 428 10dbaa3-10dbae4 425->428 475 10dba7d call 10dbcd8 426->475 476 10dba7d call 10dbce8 426->476 427->428 433 10dbae6-10dbaee 428->433 434 10dbaf1-10dbaff 428->434 429 10dba83-10dba85 429->425 431 10dbbc0-10dbc80 429->431 470 10dbc88-10dbcb3 GetModuleHandleW 431->470 471 10dbc82-10dbc85 431->471 433->434 435 10dbb01-10dbb06 434->435 436 10dbb23-10dbb25 434->436 439 10dbb08-10dbb0f call 10da940 435->439 440 10dbb11 435->440 438 10dbb28-10dbb2f 436->438 444 10dbb3c-10dbb43 438->444 445 10dbb31-10dbb39 438->445 441 10dbb13-10dbb21 439->441 440->441 441->438 447 10dbb45-10dbb4d 444->447 448 10dbb50-10dbb59 call 10da950 444->448 445->444 447->448 452 10dbb5b-10dbb63 448->452 453 10dbb66-10dbb6b 448->453 452->453 455 10dbb6d-10dbb74 453->455 456 10dbb89-10dbb8d 453->456 455->456 457 10dbb76-10dbb86 call 10d90e8 call 10da960 455->457 460 10dbb93-10dbb96 456->460 457->456 463 10dbbb9-10dbbbf 460->463 464 10dbb98-10dbbb6 460->464 464->463 472 10dbcbc-10dbcd0 470->472 473 10dbcb5-10dbcbb 470->473 471->470 473->472 475->429 476->429
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 4cad3974a74301cb4dec5a094a1e0ddb5bd3ecfd4cfab570179f7b3bda7e6341
                                                                          • Instruction ID: 970f83eb5e552e039ea212e888ba3cae86630a15d51f7c264ef0a78d345d99c2
                                                                          • Opcode Fuzzy Hash: 4cad3974a74301cb4dec5a094a1e0ddb5bd3ecfd4cfab570179f7b3bda7e6341
                                                                          • Instruction Fuzzy Hash: 93713670A00B098FDB64DF2AD44079ABBF1FF89214F01896ED58AD7A40DB75E906CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 477 10daaba-10ddb7e 479 10ddb89-10ddb90 477->479 480 10ddb80-10ddb86 477->480 481 10ddb9b-10ddbd3 479->481 482 10ddb92-10ddb98 479->482 480->479 483 10ddbdb-10ddc3a CreateWindowExW 481->483 482->481 484 10ddc3c-10ddc42 483->484 485 10ddc43-10ddc7b 483->485 484->485 489 10ddc7d-10ddc80 485->489 490 10ddc88 485->490 489->490 491 10ddc89 490->491 491->491
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010DDC2A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 59c2b18de7dc2472d3e785ab9751a6ddb5b0230269eda4a87b10cccd147413b8
                                                                          • Instruction ID: a8a2b6698fe79e5162d8eefd7a37abbc0bfdf4cfff3e5d45bc77012704c2f5f3
                                                                          • Opcode Fuzzy Hash: 59c2b18de7dc2472d3e785ab9751a6ddb5b0230269eda4a87b10cccd147413b8
                                                                          • Instruction Fuzzy Hash: CC51DFB1D00349DFDB14CF99C884ADEBFB5BF49314F24812AE819AB250D7B49845CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 492 10ddb0d-10ddb7e 493 10ddb89-10ddb90 492->493 494 10ddb80-10ddb86 492->494 495 10ddb9b-10ddbd3 493->495 496 10ddb92-10ddb98 493->496 494->493 497 10ddbdb-10ddc3a CreateWindowExW 495->497 496->495 498 10ddc3c-10ddc42 497->498 499 10ddc43-10ddc7b 497->499 498->499 503 10ddc7d-10ddc80 499->503 504 10ddc88 499->504 503->504 505 10ddc89 504->505 505->505
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010DDC2A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: f831212454f8aa8475cbde4e2070f6002b2876aee2dc6e325b4c27c02ca2bf83
                                                                          • Instruction ID: d9bf608dd9cad13b5b73e04d6febd4dc3f92aec1cf2d8d7fa8ed36152b0e0fc4
                                                                          • Opcode Fuzzy Hash: f831212454f8aa8475cbde4e2070f6002b2876aee2dc6e325b4c27c02ca2bf83
                                                                          • Instruction Fuzzy Hash: BE51A0B1D00309DFDB14CF99D884ADEBBB5FF49314F24812AE819AB250D7B59945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 506 10daac4-10ddb7e 508 10ddb89-10ddb90 506->508 509 10ddb80-10ddb86 506->509 510 10ddb9b-10ddc3a CreateWindowExW 508->510 511 10ddb92-10ddb98 508->511 509->508 513 10ddc3c-10ddc42 510->513 514 10ddc43-10ddc7b 510->514 511->510 513->514 518 10ddc7d-10ddc80 514->518 519 10ddc88 514->519 518->519 520 10ddc89 519->520 520->520
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010DDC2A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: cdb4461d185d6cbd01b3894a2e931483290b2c388964b1a94e4b8ea4c556709c
                                                                          • Instruction ID: 557cc0384a7fd16af84ace985f8a0b03fdabe58533b2c65966f83dda00f4211e
                                                                          • Opcode Fuzzy Hash: cdb4461d185d6cbd01b3894a2e931483290b2c388964b1a94e4b8ea4c556709c
                                                                          • Instruction Fuzzy Hash: 4051BEB1D0030DDFDB14CF9AC884ADEBBB5BF48314F24812AE819AB250D7B4A945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 521 10d7009-10d7010 522 10d707a-10d7114 DuplicateHandle 521->522 523 10d7012-10d7041 call 10d6404 521->523 525 10d711d-10d713a 522->525 526 10d7116-10d711c 522->526 527 10d7046-10d706c 523->527 526->525
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010D7046,?,?,?,?,?), ref: 010D7107
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: f732415809ca1ab92f15ca21f11c537210fd333beec3a6d75a477dbf8048d8c9
                                                                          • Instruction ID: 692a97791013be097681b59fbc12d2b7a7aeda8fa857aa428c37e23b411c07d0
                                                                          • Opcode Fuzzy Hash: f732415809ca1ab92f15ca21f11c537210fd333beec3a6d75a477dbf8048d8c9
                                                                          • Instruction Fuzzy Hash: A9415B76900258AFCB01CFA9D884ADEBFF5FB89310F14805AEA54A7311C3759915DFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 532 4fe311c-4fe3e01 CreateActCtxA 535 4fe3e0a-4fe3e64 532->535 536 4fe3e03-4fe3e09 532->536 543 4fe3e66-4fe3e69 535->543 544 4fe3e73-4fe3e77 535->544 536->535 543->544 545 4fe3e88 544->545 546 4fe3e79-4fe3e85 544->546 546->545
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 04FE3DF1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.668879465.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4fe0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 62ba9a7707d1192642409fed3043e8359de944ecd2a56c4837d7c5d4df0ac87a
                                                                          • Instruction ID: bd774689d5826247fb543b13c5aaefe68c113e5f3d7409b749a35d5c64198610
                                                                          • Opcode Fuzzy Hash: 62ba9a7707d1192642409fed3043e8359de944ecd2a56c4837d7c5d4df0ac87a
                                                                          • Instruction Fuzzy Hash: A241C371C0461DCBDB24DFAAC888BDEBBF5BF49309F108069D409AB251D7B5694ACF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04FE0D91
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.668879465.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4fe0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CallProcWindow
                                                                          • String ID:
                                                                          • API String ID: 2714655100-0
                                                                          • Opcode ID: 0bfc65063247dd15ca398eedc3670c9ca0682d9990365d33aa6b128f76c0bf66
                                                                          • Instruction ID: 8178b67b3f7d96f000d4198dc1ea9a1caa2484b7a183febf4e76d4338bd89ffe
                                                                          • Opcode Fuzzy Hash: 0bfc65063247dd15ca398eedc3670c9ca0682d9990365d33aa6b128f76c0bf66
                                                                          • Instruction Fuzzy Hash: 32412BB5900219CFDB14CF99C488BAABBF5FB89314F148459E519AB321D7B4E842CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 04AA39E6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: 5efb8df71a0a97956c6d8822b2fd1a2d6d1f4289a571d22243969f69a943cc57
                                                                          • Instruction ID: 18ef4f926f3743eb9ec8dd63aeb8d21c967bfb04ad2c340b87d590b5b49ec512
                                                                          • Opcode Fuzzy Hash: 5efb8df71a0a97956c6d8822b2fd1a2d6d1f4289a571d22243969f69a943cc57
                                                                          • Instruction Fuzzy Hash: 5D2189B5D043098FCB10CFA9C4857DEBBF0EF49214F04C52AD959A7241C778A946CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010D7046,?,?,?,?,?), ref: 010D7107
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 686397d08ac796d5d38f323c634bc56f752e310d4aee34f4c14a62aeaa530687
                                                                          • Instruction ID: ed62323304a52afbe093746d37b2b06eb9216fe142c4682cf8eb5354c97b48bf
                                                                          • Opcode Fuzzy Hash: 686397d08ac796d5d38f323c634bc56f752e310d4aee34f4c14a62aeaa530687
                                                                          • Instruction Fuzzy Hash: 3221D2B59002589FDB10CFAAD884BDEBBF4FB49324F14841AE955A7310D374A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010D7046,?,?,?,?,?), ref: 010D7107
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 74e2afe412cc43b519ffd8a6fbef02df39c75e3e40364103c580848be9e42917
                                                                          • Instruction ID: e536edbde87b00ed379ad7b839b7bf3365273b55dacf10d366be57e2819b5c4b
                                                                          • Opcode Fuzzy Hash: 74e2afe412cc43b519ffd8a6fbef02df39c75e3e40364103c580848be9e42917
                                                                          • Instruction Fuzzy Hash: E121E0B5D012089FDB10CFAAD884ADEFBF4FB49324F14841AE959A7310D374A955CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AA4070
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 3da929de905306640ffefa2e23143b56f6d266349bedffb9b6b6de5a335a5b10
                                                                          • Instruction ID: 6d154b1d0404c0b927c64f206787e92a93c6d7a328fe6ac15eac9dc346d5f71c
                                                                          • Opcode Fuzzy Hash: 3da929de905306640ffefa2e23143b56f6d266349bedffb9b6b6de5a335a5b10
                                                                          • Instruction Fuzzy Hash: 76212871D002499FCB10CFAAC8847EEBBF5FF48314F108429E919A7240C779A954CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 04AA39E6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: 700e05022c9ca97086c9bb602671ff5bc806c1c193cad722f677b24271b72c8a
                                                                          • Instruction ID: 2aa61cbc090cb4d5789580aaeb46774b0703960700c0efdbc650f1f3184022df
                                                                          • Opcode Fuzzy Hash: 700e05022c9ca97086c9bb602671ff5bc806c1c193cad722f677b24271b72c8a
                                                                          • Instruction Fuzzy Hash: 41213571D043098FCB10DFAAC4847EEBBF4EF49324F14842AD959A7640CBB8A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AA4070
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 2e5e99c9e7f28588a4bc8091889ae303ea4a1b30b4eb37dab5774b342e656d01
                                                                          • Instruction ID: c7800f9bcf35e0f2cf1aadbeacb8caff3dcd2932e67bf0db819b62fcbf0a38cb
                                                                          • Opcode Fuzzy Hash: 2e5e99c9e7f28588a4bc8091889ae303ea4a1b30b4eb37dab5774b342e656d01
                                                                          • Instruction Fuzzy Hash: A22157B2C002098FCF00CFA9C8847EEBBF5FF48310F04842AE919A7240C7789954CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010DBD21,00000800,00000000,00000000), ref: 010DBF32
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: f828ebffd40a09772e66993a2f3364bdeb67ccdd73a61b0aad12e0d75e85dbbb
                                                                          • Instruction ID: c63826d97fc2df0f453b69be7a907af43a7aa49bb9bba11fd6738dab87172da1
                                                                          • Opcode Fuzzy Hash: f828ebffd40a09772e66993a2f3364bdeb67ccdd73a61b0aad12e0d75e85dbbb
                                                                          • Instruction Fuzzy Hash: F01103B29043098FDB10CF9AC444BDEFBF4EB49324F05846EE559A7200C3B5A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010DBD21,00000800,00000000,00000000), ref: 010DBF32
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 6b02d9478ff124dfae2ede92e7fc3fd18a76410a89cf2b79066f38ab42881108
                                                                          • Instruction ID: 97a6fd0841301151e65466e4588daa6528a44447cdc5fcf645240daf12dac46b
                                                                          • Opcode Fuzzy Hash: 6b02d9478ff124dfae2ede92e7fc3fd18a76410a89cf2b79066f38ab42881108
                                                                          • Instruction Fuzzy Hash: 921103B28003098FDB10CFAAC488BDEFBF4EB49324F15846AE515A7200C3B5A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AA3AAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: f39c156b0778d1e565e3447fcc9e5362d05ba5d5365ddc0b458788ef48c7d09d
                                                                          • Instruction ID: 76785f1d6d72b470474f140bfaf59763fb62dc8f8fc2c32fe316efec9417f897
                                                                          • Opcode Fuzzy Hash: f39c156b0778d1e565e3447fcc9e5362d05ba5d5365ddc0b458788ef48c7d09d
                                                                          • Instruction Fuzzy Hash: 771137769002099FCF10CFA9C8447DEBBF5BF48324F148419E926A7250C779A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AA3AAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: d18e471e5602f69ac8668967a2f3480b0079684a7b9663b44eb7aef22684b65a
                                                                          • Instruction ID: ffcf5b00e88b6e193cf8554241df681be7f09d6af83bd3095f2a0b4368e04e27
                                                                          • Opcode Fuzzy Hash: d18e471e5602f69ac8668967a2f3480b0079684a7b9663b44eb7aef22684b65a
                                                                          • Instruction Fuzzy Hash: B81126729002489FCF10DFAAC8447DFBBF5AB48324F148419E915A7250C775A954CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 010DE1C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: 2bc42a3d93056f9cb55056ca744bb46450fd08ae5ec9947b1ea48068f5274e79
                                                                          • Instruction ID: 1b61725ebb2d5577e6db5504dfe4a8cfeb23ac08ab84f4f4ff708839a3deb385
                                                                          • Opcode Fuzzy Hash: 2bc42a3d93056f9cb55056ca744bb46450fd08ae5ec9947b1ea48068f5274e79
                                                                          • Instruction Fuzzy Hash: 501149B5904348DFDB10CF99C884BDEBBF4FB59324F10851AD465A7640C3B4A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 04AA1388
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DebugOutputString
                                                                          • String ID:
                                                                          • API String ID: 1166629820-0
                                                                          • Opcode ID: 7a9dfdba05e9b0c6c38c9adb78e1be0e95ceb378e3391814421232d048a5700d
                                                                          • Instruction ID: 737fe7e05961662254d12828ddbb7e74609584213933704199589c80cd4267e7
                                                                          • Opcode Fuzzy Hash: 7a9dfdba05e9b0c6c38c9adb78e1be0e95ceb378e3391814421232d048a5700d
                                                                          • Instruction Fuzzy Hash: A91132B1D006199BCB10CF9AD484BDEFBF4FB49320F04812AE818B3600C7B4A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 04AA1388
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DebugOutputString
                                                                          • String ID:
                                                                          • API String ID: 1166629820-0
                                                                          • Opcode ID: be255624564621247414d3e2833de4abc44f60cc35dec349db1394b5cf3e574b
                                                                          • Instruction ID: 9dbac093b24d8777fcb512cb6326e6755b57751d6f9100b6c9bed0d656ea5c39
                                                                          • Opcode Fuzzy Hash: be255624564621247414d3e2833de4abc44f60cc35dec349db1394b5cf3e574b
                                                                          • Instruction Fuzzy Hash: DA1100B5D006599BCB00CF9AD5847EEFBB4FB49320F04812AD819B7640D774A555CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,010DBA73), ref: 010DBCA6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 66cd2d7150b701c55af6d8de726535e1c64f5e877e0ec99fcb1749ff95f82df9
                                                                          • Instruction ID: 8c50007cd12e86f7758877b1c66872733ac9431ca1a5943c7ee54cd7622915a8
                                                                          • Opcode Fuzzy Hash: 66cd2d7150b701c55af6d8de726535e1c64f5e877e0ec99fcb1749ff95f82df9
                                                                          • Instruction Fuzzy Hash: A911F3B5C007498BDB10CF9AC444BDEBBF4FB8A224F11845AD859B7600D7B4A546CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 065d3cdfdf25b1eb831750ace780fce2c96bbbc87aa20da1f6bbfc7097db5c3f
                                                                          • Instruction ID: 8fc147d522465be50024ae561e97a45217dbcf6d4ab4c276e3b0cca52a8f0f2b
                                                                          • Opcode Fuzzy Hash: 065d3cdfdf25b1eb831750ace780fce2c96bbbc87aa20da1f6bbfc7097db5c3f
                                                                          • Instruction Fuzzy Hash: E7113AB1D042488FCB10DFA9C4447DEFBF5AF48324F148419D519B7640C7B9A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 7d4e295c60df577a88cc1ee9c3ba24007c33c7adfcd2122aea7c24a57032186b
                                                                          • Instruction ID: df5a27290f190c1c13204f774d87def056a5952d4a149c5c9db6d47f3b1ec7f6
                                                                          • Opcode Fuzzy Hash: 7d4e295c60df577a88cc1ee9c3ba24007c33c7adfcd2122aea7c24a57032186b
                                                                          • Instruction Fuzzy Hash: B81106B1D043488FDB10DFAAC4487DFFBF5AB89324F148429D529A7640CBB9A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 04AA7155
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 11d64e147fbe58cb5aed3d10153f82a8b0865e6a214ce7ae0ae4310ea22066d3
                                                                          • Instruction ID: f8a3c8d53be7b5e4f5886f0443ec4a123042f0e08a1b4a29689918403d782dfb
                                                                          • Opcode Fuzzy Hash: 11d64e147fbe58cb5aed3d10153f82a8b0865e6a214ce7ae0ae4310ea22066d3
                                                                          • Instruction Fuzzy Hash: A611E3B59006499FDB10DF99C888BDFBBF8EB49324F108419E515A7600C3B4A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 010DE1C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: edce281384503c483f22687b8416c95b3f84cadd1f547ebc773ba4ad3fa0abde
                                                                          • Instruction ID: 236ae2ab63014f0b9ca91202bae38dba96a9aca2adc6d3f518c34a83739bedfa
                                                                          • Opcode Fuzzy Hash: edce281384503c483f22687b8416c95b3f84cadd1f547ebc773ba4ad3fa0abde
                                                                          • Instruction Fuzzy Hash: CD11F2B59003499FDB10CF99C488BDEBBF8EB49324F10841AE955B7700C3B4A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 010DE1C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: 3d51f23e0edb91f60da8caf0f2970b81530a9d32febda29686432052d6169150
                                                                          • Instruction ID: 4f49e99a4e34cda455569fc41742fb5be6af454b7dcabe4ec9861a2488a66836
                                                                          • Opcode Fuzzy Hash: 3d51f23e0edb91f60da8caf0f2970b81530a9d32febda29686432052d6169150
                                                                          • Instruction Fuzzy Hash: 3811F5B59002488FDB10CF99D485BDEBBF8FB49324F108519D959A7600C3B4A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 04AA7155
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: e1e3bd51079dfbde3fd9f9b753ba5bd239b6c678eeb647be440176ce5402ff36
                                                                          • Instruction ID: c3dbc11c5b462c4314dab58582403638d29f43ce45f3798e0cd61994872b99c5
                                                                          • Opcode Fuzzy Hash: e1e3bd51079dfbde3fd9f9b753ba5bd239b6c678eeb647be440176ce5402ff36
                                                                          • Instruction Fuzzy Hash: 0511F2B58002499FDB10CF99D889BDEFBF4FB49324F108419E928A7700C3B5A554CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: C?BD$C?BD$C?BD
                                                                          • API String ID: 0-3985855954
                                                                          • Opcode ID: 250c6b1e3ecb9545f2c9b0f6e79baba6304639e56aed47900427ef7620b4680d
                                                                          • Instruction ID: a60260b2bf942daea48da29404926ca4ee16a384a5df733d3021736e479ed94b
                                                                          • Opcode Fuzzy Hash: 250c6b1e3ecb9545f2c9b0f6e79baba6304639e56aed47900427ef7620b4680d
                                                                          • Instruction Fuzzy Hash: DC413A70E01219DBDB18CFAAD98079EFBB2FF88300F14C56AD509AB254EB309A558F11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: C?BD$C?BD$C?BD
                                                                          • API String ID: 0-3985855954
                                                                          • Opcode ID: c4d95e3103492d6cb2b8efeb53f9f293774348f7ee640da1be1d838227cc7cb4
                                                                          • Instruction ID: f873f5a12bb335bde941aee151ea845facb84e9c2cc6849a00c28e60e28df828
                                                                          • Opcode Fuzzy Hash: c4d95e3103492d6cb2b8efeb53f9f293774348f7ee640da1be1d838227cc7cb4
                                                                          • Instruction Fuzzy Hash: 22416A70E112199FDB18CFA6D9806AEFBF2BF88300F14C56AD508EB254EB349A518F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ],-$V,I6
                                                                          • API String ID: 0-478491377
                                                                          • Opcode ID: 0706b5908aa7512a93de1f9905a2222636bf147d63e4a4027bff08dcfe31ac91
                                                                          • Instruction ID: 1e58162eb0b9c61c30b3d78df87a09e9ac6ae539c13e8cb1a1e0678e6efe7bc8
                                                                          • Opcode Fuzzy Hash: 0706b5908aa7512a93de1f9905a2222636bf147d63e4a4027bff08dcfe31ac91
                                                                          • Instruction Fuzzy Hash: 73911474E05209DFDB08CFA9D5445EEFBF2AF89300F60842AD505BB314E771AA118F59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ],-$V,I6
                                                                          • API String ID: 0-478491377
                                                                          • Opcode ID: da01f855f6efa42cca49eb0e01a8c79d465942b1fd124638b1cff4bef05a46cd
                                                                          • Instruction ID: b01ec101858515ad7ffb3fa7700adf179d1b942b859d4f7914c4cf33d1ecb6d4
                                                                          • Opcode Fuzzy Hash: da01f855f6efa42cca49eb0e01a8c79d465942b1fd124638b1cff4bef05a46cd
                                                                          • Instruction Fuzzy Hash: EB81F3B4E05209DFDB44CFE9D5849DEBBF2AF89300F60842AD505BB354E731AA118F58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          C-Code - Quality: 84%
                                                                          			E00672050(intOrPtr* __eax, signed int* __ebx, signed int __ecx, intOrPtr* __edx, intOrPtr* __edi, intOrPtr* __esi, void* __fp0) {
                                                                          				signed char _t280;
                                                                          				signed char _t281;
                                                                          				intOrPtr* _t283;
                                                                          				signed char _t284;
                                                                          				signed char _t285;
                                                                          				signed char _t286;
                                                                          				signed char _t287;
                                                                          				signed char _t289;
                                                                          				signed char _t290;
                                                                          				signed char _t291;
                                                                          				intOrPtr* _t292;
                                                                          				signed char _t293;
                                                                          				signed char _t294;
                                                                          				signed char _t295;
                                                                          				intOrPtr* _t296;
                                                                          				intOrPtr* _t519;
                                                                          				signed int* _t521;
                                                                          				signed char _t546;
                                                                          				void* _t547;
                                                                          				void* _t549;
                                                                          				signed char _t550;
                                                                          				signed char _t551;
                                                                          				signed char _t552;
                                                                          				signed char _t553;
                                                                          				signed char _t554;
                                                                          				signed char _t555;
                                                                          				intOrPtr* _t615;
                                                                          				intOrPtr* _t617;
                                                                          				signed int* _t618;
                                                                          				intOrPtr* _t619;
                                                                          				intOrPtr* _t620;
                                                                          				signed int* _t621;
                                                                          				signed int* _t622;
                                                                          				intOrPtr* _t654;
                                                                          				intOrPtr* _t657;
                                                                          				signed int _t661;
                                                                          				void* _t679;
                                                                          				void* _t943;
                                                                          
                                                                          				_t657 = __esi;
                                                                          				_t654 = __edi;
                                                                          				_t521 = __ebx;
                                                                          				asm("sbb esi, [eax]");
                                                                          				_t280 = __eax +  *__eax;
                                                                          				_pop(ds);
                                                                          				 *_t280 =  *_t280 + _t280;
                                                                          				 *_t280 =  *_t280 + _t280;
                                                                          				 *_t280 =  *_t280 + _t280;
                                                                          				 *_t280 =  *_t280 + _t280;
                                                                          				 *_t280 =  *_t280 + __ecx;
                                                                          				_pop(ds);
                                                                          				 *_t280 =  *_t280 + _t280;
                                                                          				_t546 = __ecx |  *_t280;
                                                                          				 *_t280 =  *_t280 & _t280;
                                                                          				 *__edx =  *__edx + _t546;
                                                                          				_t615 = __edx + __ebx;
                                                                          				_t281 = _t280 +  *_t280;
                                                                          				_t943 = __fp0 +  *_t281;
                                                                          				 *__edi =  *__edi - _t281;
                                                                          				 *_t281 =  *_t281 + _t281;
                                                                          				_push(es);
                                                                          				_t547 = _t546 +  *((intOrPtr*)(__edi + 0x21));
                                                                          				 *_t281 =  *_t281 + _t281;
                                                                          				_t283 = (_t281 |  *_t281) -  *(_t281 |  *_t281);
                                                                          				 *_t283 =  *_t283 + _t615;
                                                                          				 *_t283 =  *_t283 + _t283;
                                                                          				_t284 = _t283 +  *_t283;
                                                                          				 *_t284 =  *_t284 + _t284;
                                                                          				_push(cs);
                                                                          				asm("sldt word [edx]");
                                                                          				 *_t284 =  *_t284 + _t284;
                                                                          				 *_t284 =  *_t284 + _t284;
                                                                          				asm("stosb");
                                                                          				 *_t615 =  *_t615 + _t284;
                                                                          				 *_t615 =  *_t615 - _t284;
                                                                          				 *_t284 =  *_t284 + _t284;
                                                                          				_t285 = _t284 |  *_t284;
                                                                          				 *__ebx =  *__ebx - _t285;
                                                                          				 *_t285 =  *_t285 + _t285;
                                                                          				_t286 = _t285 |  *_t285;
                                                                          				_t617 = _t615 +  *__esi +  *__edi;
                                                                          				 *((intOrPtr*)(_t286 + _t286)) =  *((intOrPtr*)(_t286 + _t286)) - _t286;
                                                                          				 *_t617 =  *_t617 + _t547;
                                                                          				 *_t617 =  *_t617 + _t286;
                                                                          				ss = ss;
                                                                          				 *0xa0000 =  *0xa0000 - _t286;
                                                                          				_t618 = _t617 +  *__esi;
                                                                          				 *__esi =  *__esi - _t286;
                                                                          				 *_t286 =  *_t286 + _t286;
                                                                          				_t287 = _t286 |  *_t286;
                                                                          				_t549 = _t547 -  *__esi +  *_t287;
                                                                          				 *_t287 =  *_t287 | _t287;
                                                                          				 *__esi =  *__esi + _t287;
                                                                          				asm("outsd");
                                                                          				asm("insb");
                                                                          				 *_t287 =  *_t287 + _t287;
                                                                          				_push(es);
                                                                          				 *__edi =  *__edi - _t287;
                                                                          				 *_t287 =  *_t287 + _t287;
                                                                          				_t289 = (_t287 |  *_t287) -  *__esi;
                                                                          				 *_t618 =  *_t618 + _t289;
                                                                          				 *_t289 =  *_t289 - _t549;
                                                                          				 *_t289 =  *_t289 + _t289;
                                                                          				_t290 = _t289 |  *_t289;
                                                                          				_t550 = _t549 - _t618;
                                                                          				if(_t550 >= 0) {
                                                                          					L6:
                                                                          					 *_t618 =  *_t618 + _t550;
                                                                          					 *0x2a040000 =  *0x2a040000;
                                                                          					 *_t290 =  *_t290 + _t290;
                                                                          					goto L7;
                                                                          				} else {
                                                                          					 *_t290 =  *_t290 + _t290;
                                                                          					_t290 = _t290 |  *(_t290 + 0x4000001);
                                                                          					if(_t290 >= 0) {
                                                                          						L7:
                                                                          						asm("adc esi, [eax]");
                                                                          						 *_t290 =  *_t290 + _t290;
                                                                          						asm("adc [eax], al");
                                                                          						 *_t290 =  *_t290 + _t290;
                                                                          						 *_t290 =  *_t290 + _t290;
                                                                          						 *_t550 = _t618 +  *_t550;
                                                                          						_t679 =  *_t550;
                                                                          						goto L8;
                                                                          					} else {
                                                                          						 *_t290 =  *_t290 + _t290;
                                                                          						_t290 = _t290 |  *(_t290 + 0x4000002);
                                                                          						if(_t290 >= 0) {
                                                                          							L8:
                                                                          							asm("adc [eax], eax");
                                                                          							if(_t679 > 0) {
                                                                          								 *_t290 =  *_t290 + _t290;
                                                                          							}
                                                                          							 *((intOrPtr*)(_t654 + _t661 * 2)) =  *((intOrPtr*)(_t654 + _t661 * 2)) + _t290;
                                                                          							 *[cs:eax] =  *[cs:eax] + _t290;
                                                                          							goto L11;
                                                                          						} else {
                                                                          							 *_t290 =  *_t290 + _t290;
                                                                          							_t290 = _t290 |  *(_t290 + 0x4000003);
                                                                          							if(_t290 >= 0) {
                                                                          								L11:
                                                                          								_t550 = _t550 |  *_t618;
                                                                          								_t291 = _t290 -  *_t290;
                                                                          								_push(es);
                                                                          								_t618 = _t618 -  *_t521;
                                                                          								 *_t550 =  *_t550 ^ _t291;
                                                                          								 *_t291 =  *_t291 + _t618;
                                                                          							} else {
                                                                          								 *_t290 =  *_t290 + _t290;
                                                                          								_t291 = _t290 |  *(_t290 + 0x4000004);
                                                                          								if(_t291 < 0) {
                                                                          									 *_t291 =  *_t291 + _t291;
                                                                          									goto L6;
                                                                          								}
                                                                          							}
                                                                          						}
                                                                          					}
                                                                          				}
                                                                          				 *_t291 =  *_t291 + _t291;
                                                                          				 *_t618 =  *_t618 + _t291;
                                                                          				 *_t291 =  *_t291 + _t291;
                                                                          				asm("adc [eax], eax");
                                                                          				if( *_t291 > 0) {
                                                                          					 *_t291 =  *_t291 + _t291;
                                                                          				}
                                                                          				_t292 = _t291 + 0x6f;
                                                                          				asm("das");
                                                                          				 *_t292 =  *_t292 + _t292;
                                                                          				_t551 = _t550 |  *_t618;
                                                                          				_t293 = _t292 -  *_t292;
                                                                          				_push(es);
                                                                          				_t619 = _t618 -  *_t521;
                                                                          				 *_t551 =  *_t551 ^ _t293;
                                                                          				 *_t293 =  *_t293 + _t619;
                                                                          				 *_t293 =  *_t293 + _t293;
                                                                          				 *_t521 =  *_t521 + _t293;
                                                                          				 *_t293 =  *_t293 + _t293;
                                                                          				asm("adc [eax], eax");
                                                                          				if( *_t293 > 0) {
                                                                          					 *_t293 =  *_t293 + _t293;
                                                                          					_t293 = _t293 + 0x6f;
                                                                          				}
                                                                          				asm("outsd");
                                                                          				 *_t293 =  *_t293 ^ _t293;
                                                                          				 *_t619 =  *_t619 + _t551;
                                                                          				_t552 = _t551 |  *_t521;
                                                                          				 *_t657 =  *_t657 + _t293;
                                                                          				_t620 = _t619 -  *_t521;
                                                                          				 *_t552 =  *_t552 ^ _t293;
                                                                          				 *_t293 =  *_t293 + _t620;
                                                                          				 *_t293 =  *_t293 + _t293;
                                                                          				 *((intOrPtr*)(_t293 + _t293)) =  *((intOrPtr*)(_t293 + _t293)) + _t293;
                                                                          				 *_t552 =  *_t552 + _t620;
                                                                          				 *((intOrPtr*)(_t657 + 4)) =  *((intOrPtr*)(_t657 + 4)) + _t521;
                                                                          				 *_t293 =  *_t293 + _t293;
                                                                          				_t294 = _t293 + 0x6f;
                                                                          				 *_t294 =  *_t294 ^ _t294;
                                                                          				 *_t620 =  *_t620 + _t552;
                                                                          				_t553 = _t552 |  *_t521;
                                                                          				 *_t657 =  *_t657 + _t294;
                                                                          				_t621 = _t620 -  *_t521;
                                                                          				 *_t553 =  *_t553 ^ _t294;
                                                                          				 *_t294 = _t621 +  *_t294;
                                                                          				 *_t294 =  *_t294 + _t294;
                                                                          				 *0x110000 =  *0x110000 + _t294;
                                                                          				if ( *0x110000 <= 0) goto L19;
                                                                          				goto L17;
                                                                          				 *_t519 =  *_t519 + _t519;
                                                                          				_t294 = _t519 + 0x0000006f ^  *(_t519 + 0x6f);
                                                                          				 *_t294 =  *_t294 + _t294;
                                                                          				_t554 = _t553 |  *_t621;
                                                                          				_t295 = _t294 -  *_t294;
                                                                          				_push(es);
                                                                          				_t622 = _t621 -  *_t521;
                                                                          				 *_t622 =  *_t622 ^ _t295;
                                                                          				 *((intOrPtr*)(_t295 + _t295)) =  *((intOrPtr*)(_t295 + _t295)) + _t521;
                                                                          				 *_t295 =  *_t295 + _t295;
                                                                          				_push(es);
                                                                          				 *_t295 =  *_t295 + _t295;
                                                                          				asm("adc [eax], eax");
                                                                          				if( *_t295 > 0) {
                                                                          					 *_t295 =  *_t295 + _t295;
                                                                          					_t295 = _t295 + 0x14;
                                                                          					 *_t521 =  *_t521 - _t622;
                                                                          				}
                                                                          				 *_t295 =  *_t295 + _t295;
                                                                          				_t555 = _t554 |  *_t521;
                                                                          				_pop(es);
                                                                          				_t296 = _t295 - 0x21;
                                                                          				if(_t296 >= 0) {
                                                                          					 *_t296 =  *_t296 + _t296;
                                                                          				}
                                                                          				 *((intOrPtr*)(_t296 - 0x30)) =  *((intOrPtr*)(_t296 - 0x30)) + _t622;
                                                                          			}









































                                                                          0x00672050
                                                                          0x00672050
                                                                          0x00672050
                                                                          0x00672050
                                                                          0x00672052
                                                                          0x00672054
                                                                          0x00672055
                                                                          0x00672057
                                                                          0x00672059
                                                                          0x0067205b
                                                                          0x0067205d
                                                                          0x0067205f
                                                                          0x00672060
                                                                          0x00672062
                                                                          0x00672064
                                                                          0x00672066
                                                                          0x00672068
                                                                          0x0067206a
                                                                          0x0067206c
                                                                          0x0067206e
                                                                          0x00672070
                                                                          0x00672072
                                                                          0x00672073
                                                                          0x00672076
                                                                          0x0067207a
                                                                          0x0067207c
                                                                          0x0067207e
                                                                          0x00672080
                                                                          0x00672082
                                                                          0x00672084
                                                                          0x00672085
                                                                          0x00672088
                                                                          0x0067208a
                                                                          0x0067208c
                                                                          0x0067208d
                                                                          0x00672090
                                                                          0x00672092
                                                                          0x00672094
                                                                          0x00672098
                                                                          0x0067209a
                                                                          0x0067209c
                                                                          0x0067209e
                                                                          0x006720a0
                                                                          0x006720a3
                                                                          0x006720a5
                                                                          0x006720a7
                                                                          0x006720a8
                                                                          0x006720ae
                                                                          0x006720b0
                                                                          0x006720b2
                                                                          0x006720b4
                                                                          0x006720b9
                                                                          0x006720bb
                                                                          0x006720bd
                                                                          0x006720bf
                                                                          0x006720c0
                                                                          0x006720c1
                                                                          0x006720c3
                                                                          0x006720c4
                                                                          0x006720c6
                                                                          0x006720ca
                                                                          0x006720cc
                                                                          0x006720ce
                                                                          0x006720d0
                                                                          0x006720d2
                                                                          0x006720d4
                                                                          0x006720d6
                                                                          0x00672101
                                                                          0x00672101
                                                                          0x00672103
                                                                          0x0067210a
                                                                          0x00000000
                                                                          0x006720d8
                                                                          0x006720d8
                                                                          0x006720da
                                                                          0x006720e0
                                                                          0x0067210c
                                                                          0x0067210c
                                                                          0x0067210e
                                                                          0x00672110
                                                                          0x00672112
                                                                          0x00672114
                                                                          0x00672116
                                                                          0x00672116
                                                                          0x00000000
                                                                          0x006720e2
                                                                          0x006720e2
                                                                          0x006720e4
                                                                          0x006720ea
                                                                          0x00672117
                                                                          0x00672117
                                                                          0x00672119
                                                                          0x0067211b
                                                                          0x0067211b
                                                                          0x0067211c
                                                                          0x0067211f
                                                                          0x00000000
                                                                          0x006720ec
                                                                          0x006720ec
                                                                          0x006720ee
                                                                          0x006720f4
                                                                          0x00672122
                                                                          0x00672122
                                                                          0x00672124
                                                                          0x00672126
                                                                          0x00672127
                                                                          0x00672129
                                                                          0x0067212b
                                                                          0x006720f6
                                                                          0x006720f6
                                                                          0x006720f8
                                                                          0x006720fe
                                                                          0x00672100
                                                                          0x00000000
                                                                          0x00672100
                                                                          0x006720fe
                                                                          0x006720f4
                                                                          0x006720ea
                                                                          0x006720e0
                                                                          0x0067212d
                                                                          0x0067212f
                                                                          0x00672131
                                                                          0x00672133
                                                                          0x00672135
                                                                          0x00672137
                                                                          0x00672137
                                                                          0x00672139
                                                                          0x0067213b
                                                                          0x0067213c
                                                                          0x0067213e
                                                                          0x00672140
                                                                          0x00672142
                                                                          0x00672143
                                                                          0x00672145
                                                                          0x00672147
                                                                          0x00672149
                                                                          0x0067214b
                                                                          0x0067214d
                                                                          0x0067214f
                                                                          0x00672151
                                                                          0x00672153
                                                                          0x00672155
                                                                          0x00672155
                                                                          0x00672156
                                                                          0x00672157
                                                                          0x00672159
                                                                          0x0067215b
                                                                          0x0067215d
                                                                          0x0067215f
                                                                          0x00672161
                                                                          0x00672163
                                                                          0x00672165
                                                                          0x00672167
                                                                          0x0067216a
                                                                          0x0067216c
                                                                          0x0067216f
                                                                          0x00672171
                                                                          0x00672173
                                                                          0x00672175
                                                                          0x00672177
                                                                          0x00672179
                                                                          0x0067217b
                                                                          0x0067217d
                                                                          0x0067217f
                                                                          0x00672181
                                                                          0x00672183
                                                                          0x00672189
                                                                          0x00672189
                                                                          0x0067218b
                                                                          0x0067218f
                                                                          0x00672190
                                                                          0x00672192
                                                                          0x00672194
                                                                          0x00672196
                                                                          0x00672197
                                                                          0x00672199
                                                                          0x0067219b
                                                                          0x0067219e
                                                                          0x006721a0
                                                                          0x006721a1
                                                                          0x006721a3
                                                                          0x006721a5
                                                                          0x006721a7
                                                                          0x006721a9
                                                                          0x006721ab
                                                                          0x006721ab
                                                                          0x006721ad
                                                                          0x006721af
                                                                          0x006721b1
                                                                          0x006721b2
                                                                          0x006721b4
                                                                          0x006721b6
                                                                          0x006721b6
                                                                          0x006721b7

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.663611413.0000000000672000.00000002.00020000.sdmp, Offset: 00670000, based on PE: true
                                                                          • Associated: 00000000.00000002.663601800.0000000000670000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_670000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 70f98ba3994a0fddbd14377c15bcbb77487a9500c417e442b6c7b8e0bac3c33e
                                                                          • Instruction ID: 6f4335914f31e7253e9a547ac5a2be555e9e14f45a8be3d37de483331e89484a
                                                                          • Opcode Fuzzy Hash: 70f98ba3994a0fddbd14377c15bcbb77487a9500c417e442b6c7b8e0bac3c33e
                                                                          • Instruction Fuzzy Hash: 1403236140E7C25FCB138B749CB16D1BFB2AE5721471E89CBC4C0CF4A3E2195A6AD762
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          C-Code - Quality: 58%
                                                                          			E006746E0(void* __eax, intOrPtr* __ecx, void* __edx) {
                                                                          				signed int _t9;
                                                                          
                                                                          				 *(_t9 &  *_t9) =  *(_t9 &  *_t9) + (_t9 &  *_t9);
                                                                          				 *__ecx =  *__ecx + __edx;
                                                                          				asm("adc al, 0xef");
                                                                          			}




                                                                          0x006746e5
                                                                          0x006746e7
                                                                          0x006746eb

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.663611413.0000000000672000.00000002.00020000.sdmp, Offset: 00670000, based on PE: true
                                                                          • Associated: 00000000.00000002.663601800.0000000000670000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_670000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: /
                                                                          • API String ID: 0-2043925204
                                                                          • Opcode ID: dd321f1c525260367e85fa694cea1403446915ddc9a70cb978e78a7c7ae416c4
                                                                          • Instruction ID: 56dbb9283b56563732a0c118ebf4418f67ae2b1ec1330aa793ac11bac0e23909
                                                                          • Opcode Fuzzy Hash: dd321f1c525260367e85fa694cea1403446915ddc9a70cb978e78a7c7ae416c4
                                                                          • Instruction Fuzzy Hash: F432EC6644E3C25FD7138B748CB5681BFB0AE2322471E46DBC4C5CF4A3E2185A6AD763
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: l,H
                                                                          • API String ID: 0-2916200207
                                                                          • Opcode ID: a847b21f52b9c1f3c04bfdb583352a83fe3728a2f164e50eb293f85d5c1557d4
                                                                          • Instruction ID: e8e46afd7b09f3a75d1ee229f31daf15d6fdc6f50c6d604f00361ac95c4dca36
                                                                          • Opcode Fuzzy Hash: a847b21f52b9c1f3c04bfdb583352a83fe3728a2f164e50eb293f85d5c1557d4
                                                                          • Instruction Fuzzy Hash: 3BB147B4E1521A9FDB08CFA9C98459EFBF2BF88340F14D129C405BB358E734A9028F65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: l,H
                                                                          • API String ID: 0-2916200207
                                                                          • Opcode ID: 31140da2438237ba5beb3b1654c763e3bc1f0b22091cacba380d8d7ab7c27509
                                                                          • Instruction ID: 9f7b0db1c33663b4d2ef5d01e1424e471cb1c59900cc9475bc18ade4f9af03db
                                                                          • Opcode Fuzzy Hash: 31140da2438237ba5beb3b1654c763e3bc1f0b22091cacba380d8d7ab7c27509
                                                                          • Instruction Fuzzy Hash: 44B136B4E1521A9FDB08CFA9C98459EFBF2BF88340F14D529C405AB358E734A9428F65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: l,H
                                                                          • API String ID: 0-2916200207
                                                                          • Opcode ID: 1fabb2ce4b2fb0b7720bb3816358a7bc73c3db3680de05e6d3ac69e1b168b3f7
                                                                          • Instruction ID: de213b788ff74ea2cb66c8ff2187b5668e394fdfe293328deb789854223f9bb3
                                                                          • Opcode Fuzzy Hash: 1fabb2ce4b2fb0b7720bb3816358a7bc73c3db3680de05e6d3ac69e1b168b3f7
                                                                          • Instruction Fuzzy Hash: 179143B4E1521AAFCB04CFA8C58499EFBF2BF88350F249525D405EB358E734AD428B65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: q*qK
                                                                          • API String ID: 0-272042876
                                                                          • Opcode ID: 0df09efa90dc3493c65841c3a3a1d64a153026dbaf607ff44da9a13130740543
                                                                          • Instruction ID: dd2b8989b252d3fd7b715e848653a2887cc6d44c34d7c1c4a323329c5b72d817
                                                                          • Opcode Fuzzy Hash: 0df09efa90dc3493c65841c3a3a1d64a153026dbaf607ff44da9a13130740543
                                                                          • Instruction Fuzzy Hash: 53616C70E0521A9FDB04CFAAD4806AEFBF2FF89310F14D526D515A7354E734AA518FA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: q*qK
                                                                          • API String ID: 0-272042876
                                                                          • Opcode ID: af9e69d7a389e0cff35666bb7f4ae59b1a4f07b952dada8b0a9d9c73c3dd48b3
                                                                          • Instruction ID: 56b6fb8e83722b1d7d4e7bc1d90bf433a04b30b62ebfbab614314dc4213309b4
                                                                          • Opcode Fuzzy Hash: af9e69d7a389e0cff35666bb7f4ae59b1a4f07b952dada8b0a9d9c73c3dd48b3
                                                                          • Instruction Fuzzy Hash: 8D618AB0E0421A9FDB04CFAAC4806AEFBF2EF88310F15D526D514A7354E734AA518FA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 997f7872b76e2a992a19fe4e5c8679adef16ea024b328f82a37ec895d9de40a6
                                                                          • Instruction ID: d573d32408668f57fc06639b9b6237b2a9089cb3b7b7979fd9d579c9b37bb359
                                                                          • Opcode Fuzzy Hash: 997f7872b76e2a992a19fe4e5c8679adef16ea024b328f82a37ec895d9de40a6
                                                                          • Instruction Fuzzy Hash: F6A13F32E0031ACFCF15DFA5D8445DEBBF2FF85300B15856AE945AB221EB75A946CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.664828005.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_10d0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 011bc6db84c3c8c519f5157b4e794dbc6e48d38b9095fe17584348d50f7fc801
                                                                          • Instruction ID: dbe76aa9e3ab1fec5b0d6e36a4cd61de4f3718dbad1c35a2ec23c028802e3285
                                                                          • Opcode Fuzzy Hash: 011bc6db84c3c8c519f5157b4e794dbc6e48d38b9095fe17584348d50f7fc801
                                                                          • Instruction Fuzzy Hash: ACC10BF145274AAAD710CF65F8885897BB1FBC5328F92630AD1612B6F0D7BC184ACF45
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 76c5204332f20fc3a5da202701774a6ffee30b1c9298172b24b6236bd795a676
                                                                          • Instruction ID: 535918f0a7b09800d1dbd82a81e321c85ef58e946f6c12835235947c410f2e3c
                                                                          • Opcode Fuzzy Hash: 76c5204332f20fc3a5da202701774a6ffee30b1c9298172b24b6236bd795a676
                                                                          • Instruction Fuzzy Hash: 39713FB0E042199BDB14CFA5C980AAEFBF2FF89304F24C069D909A7355DB30A945CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 79728238ed1db5d439ce5c600e89285de7c326d4ee455c93f2863f5fba13b695
                                                                          • Instruction ID: 7e524ef3dcfb73a05fbd8073e0e72f7a9f687da8b6af91f4bd02564276ae3d38
                                                                          • Opcode Fuzzy Hash: 79728238ed1db5d439ce5c600e89285de7c326d4ee455c93f2863f5fba13b695
                                                                          • Instruction Fuzzy Hash: 3D613DB0E042158BDB14CFA6C980AAEFBF2FF88304F24C569D909A7355DB30A945CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1821d3920813116947bb197ef08f3dd3720da1101f752e06ddd285a83e9a9b05
                                                                          • Instruction ID: 51562a627c1b97f32b653659dc067a268b987482ecc6fdd73e3d81e185c218d7
                                                                          • Opcode Fuzzy Hash: 1821d3920813116947bb197ef08f3dd3720da1101f752e06ddd285a83e9a9b05
                                                                          • Instruction Fuzzy Hash: 26513A71E0562ACBDB24CF66C84479DBBB2FFC9300F14D5AAD40DA7214EB306A959F04
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 229840cbc59a2dc2a943fb2999576243d99363af92b14034c3f6eb5ba1d20b00
                                                                          • Instruction ID: 0088c49467ed3368029bbdb7f7b7fb55a5c0f5bdc6d8a0064e87ae1a6a64bc30
                                                                          • Opcode Fuzzy Hash: 229840cbc59a2dc2a943fb2999576243d99363af92b14034c3f6eb5ba1d20b00
                                                                          • Instruction Fuzzy Hash: 9D511671E0562ACBDB28CF66C84479DBBB2FFD9300F14C5EAD409A7614EB306A959F04
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8eae23c442a3b423a463efb35db9284813a33439438ea92a213accc2917e1669
                                                                          • Instruction ID: d0d2a851bd7f174fb9dd37beb823e2f5697c362c51f2a39e1452b76366548f4d
                                                                          • Opcode Fuzzy Hash: 8eae23c442a3b423a463efb35db9284813a33439438ea92a213accc2917e1669
                                                                          • Instruction Fuzzy Hash: 0D511775E0422ACFDB64CF65C844B9DBBB2FB99300F1495E6D40AA7210EB30AAD5DF44
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ce6bff30c9264cf28314cf6ea83a7ff8aaf07f676aabe809070455af71cc37a5
                                                                          • Instruction ID: bb370d09218a632832fcfb3869fd5c63e4ef7a2e50fc7ea7d55089cbe7438857
                                                                          • Opcode Fuzzy Hash: ce6bff30c9264cf28314cf6ea83a7ff8aaf07f676aabe809070455af71cc37a5
                                                                          • Instruction Fuzzy Hash: AA511770E1522ACBDB64CF65C844BDDBBB2FB99300F1496EAD40AB7210E7306A95DF14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.663611413.0000000000672000.00000002.00020000.sdmp, Offset: 00670000, based on PE: true
                                                                          • Associated: 00000000.00000002.663601800.0000000000670000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_670000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6225c56d4453f3ca07359133a23b4099677b288cb7cbc609c007123657bd2567
                                                                          • Instruction ID: 7940e5f613ab09404013bd47a1f1d467fe32132b0be4a1e5d7272d49cdb712ba
                                                                          • Opcode Fuzzy Hash: 6225c56d4453f3ca07359133a23b4099677b288cb7cbc609c007123657bd2567
                                                                          • Instruction Fuzzy Hash: AE312C7140F7C19FD7438B7488662907FB1AE17218B6E45DBD5C1CF0B7E61A089ADB22
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 366a742ae22d14468fc699557fec5fa0f5b892ee215c5da708c0fe7fa8995d33
                                                                          • Instruction ID: e4b1bc4254af8c7ffd61cf872541df3279e7307d9dbd08862c049de8f6893bdd
                                                                          • Opcode Fuzzy Hash: 366a742ae22d14468fc699557fec5fa0f5b892ee215c5da708c0fe7fa8995d33
                                                                          • Instruction Fuzzy Hash: 35217AF0D16228DFDB00CFA0D9847EEBBF9BB0A300F105969E006B7290D7785955CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.667842168.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4aa0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 59eeb8bcb4a50538180abe8ce00e6af5e33cb79bef4a4337350354f1e799ed26
                                                                          • Instruction ID: c1816dd80001952f85ba0c940005ed9d843591bc6888017458d433b305128fea
                                                                          • Opcode Fuzzy Hash: 59eeb8bcb4a50538180abe8ce00e6af5e33cb79bef4a4337350354f1e799ed26
                                                                          • Instruction Fuzzy Hash: 0D2128B0D45218DBDB04DFA5D848BEEBAF9BB4A300F105829E406B3290D7785954DB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:10.1%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:172
                                                                          Total number of Limit Nodes:16

                                                                          Graph

                                                                          execution_graph 36232 131c630 36234 131c645 36232->36234 36233 131c924 36234->36233 36235 131de30 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36234->36235 36237 131df4c 36234->36237 36235->36234 36238 131df4d 36237->36238 36239 131df8f 36238->36239 36242 131e1f0 36238->36242 36247 131e200 36238->36247 36239->36234 36243 131e200 36242->36243 36251 131e238 36243->36251 36259 131e228 36243->36259 36244 131e20e 36244->36239 36249 131e238 2 API calls 36247->36249 36250 131e228 2 API calls 36247->36250 36248 131e20e 36248->36239 36249->36248 36250->36248 36252 131e245 36251->36252 36253 131e26d 36251->36253 36252->36244 36267 131daf8 36253->36267 36255 131e28e 36255->36244 36257 131e356 GlobalMemoryStatusEx 36258 131e386 36257->36258 36258->36244 36261 131e22b 36259->36261 36260 131e245 36260->36244 36261->36260 36262 131daf8 GlobalMemoryStatusEx 36261->36262 36264 131e28a 36262->36264 36263 131e28e 36263->36244 36264->36263 36265 131e356 GlobalMemoryStatusEx 36264->36265 36266 131e386 36265->36266 36266->36244 36268 131e310 GlobalMemoryStatusEx 36267->36268 36270 131e28a 36268->36270 36270->36255 36270->36257 36271 16a6b68 DuplicateHandle 36272 16a6bfe 36271->36272 36273 16a15a8 36274 16a15d7 36273->36274 36277 16a1328 36274->36277 36276 16a16fc 36278 16a1333 36277->36278 36282 16a3660 36278->36282 36292 16a3650 36278->36292 36279 16a1c42 36279->36276 36283 16a368a 36282->36283 36302 16a2e34 36283->36302 36285 16a36ec 36291 16a2e34 GetModuleHandleW 36285->36291 36307 16a3b38 36285->36307 36312 16a3bd0 36285->36312 36286 16a3708 36288 16a3731 36286->36288 36317 16a3300 36286->36317 36288->36288 36291->36286 36293 16a368a 36292->36293 36294 16a2e34 GetModuleHandleW 36293->36294 36295 16a36ec 36294->36295 36299 16a3b38 GetModuleHandleW 36295->36299 36300 16a3bd0 GetModuleHandleW 36295->36300 36301 16a2e34 GetModuleHandleW 36295->36301 36296 16a3708 36297 16a3300 GetModuleHandleW 36296->36297 36298 16a3731 36296->36298 36297->36298 36299->36296 36300->36296 36301->36296 36303 16a2e3f 36302->36303 36304 16a3b53 36303->36304 36321 16a3d42 36303->36321 36331 16a3cf6 36303->36331 36304->36285 36304->36304 36307->36307 36308 16a3b3b 36307->36308 36309 16a3b53 36308->36309 36310 16a3d42 GetModuleHandleW 36308->36310 36311 16a3cf6 GetModuleHandleW 36308->36311 36309->36286 36310->36309 36311->36309 36312->36312 36313 16a3bd3 36312->36313 36314 16a3c8e 36313->36314 36315 16a3d42 GetModuleHandleW 36313->36315 36316 16a3cf6 GetModuleHandleW 36313->36316 36315->36314 36316->36314 36318 16a40b0 GetModuleHandleW 36317->36318 36320 16a4125 36318->36320 36320->36288 36322 16a3d65 36321->36322 36323 16a3300 GetModuleHandleW 36322->36323 36324 16a3daa 36322->36324 36323->36324 36325 16a3300 GetModuleHandleW 36324->36325 36330 16a3f76 36324->36330 36326 16a3efb 36325->36326 36327 16a3300 GetModuleHandleW 36326->36327 36326->36330 36328 16a3f49 36327->36328 36329 16a3300 GetModuleHandleW 36328->36329 36328->36330 36329->36330 36330->36304 36332 16a3cf8 36331->36332 36333 16a3300 GetModuleHandleW 36332->36333 36334 16a3d02 36332->36334 36335 16a3daa 36333->36335 36334->36304 36336 16a3300 GetModuleHandleW 36335->36336 36337 16a3f76 36335->36337 36338 16a3efb 36336->36338 36337->36304 36338->36337 36339 16a3300 GetModuleHandleW 36338->36339 36340 16a3f49 36339->36340 36340->36337 36341 16a3300 GetModuleHandleW 36340->36341 36341->36337 36342 13bd01c 36343 13bd034 36342->36343 36344 13bd08e 36343->36344 36349 16a5248 36343->36349 36353 16a7b80 36343->36353 36361 16a359c 36343->36361 36369 16a5238 36343->36369 36350 16a526e 36349->36350 36351 16a359c CallWindowProcW 36350->36351 36352 16a528f 36351->36352 36352->36344 36356 16a7bbd 36353->36356 36354 16a7bf1 36381 16a779c 36354->36381 36356->36354 36357 16a7be1 36356->36357 36358 16a7bef 36357->36358 36373 16a7d08 36357->36373 36377 16a7d18 36357->36377 36362 16a35a7 36361->36362 36363 16a7bf1 36362->36363 36365 16a7be1 36362->36365 36364 16a779c CallWindowProcW 36363->36364 36366 16a7bef 36364->36366 36365->36366 36367 16a7d08 CallWindowProcW 36365->36367 36368 16a7d18 CallWindowProcW 36365->36368 36367->36366 36368->36366 36370 16a526e 36369->36370 36371 16a359c CallWindowProcW 36370->36371 36372 16a528f 36371->36372 36372->36344 36375 16a7d26 36373->36375 36374 16a779c CallWindowProcW 36374->36375 36375->36374 36376 16a7e0f 36375->36376 36376->36358 36379 16a7d26 36377->36379 36378 16a779c CallWindowProcW 36378->36379 36379->36378 36380 16a7e0f 36379->36380 36380->36358 36382 16a77a7 36381->36382 36383 16a7e89 36382->36383 36384 16a7eda CallWindowProcW 36382->36384 36383->36358 36384->36383 36385 16a6940 GetCurrentProcess 36386 16a69ba GetCurrentThread 36385->36386 36389 16a69b3 36385->36389 36387 16a69f0 36386->36387 36388 16a69f7 GetCurrentProcess 36386->36388 36387->36388 36392 16a6a2d 36388->36392 36389->36386 36390 16a6a55 GetCurrentThreadId 36391 16a6a86 36390->36391 36392->36390 36393 16aba10 36394 16aba1c 36393->36394 36397 16abc5a 36394->36397 36403 16abd40 36397->36403 36408 16abe3c 36397->36408 36413 16abe56 36397->36413 36418 16abd30 36397->36418 36404 16abd84 36403->36404 36405 16abe7b 36404->36405 36423 16ac138 36404->36423 36427 16ac189 36404->36427 36409 16abdef 36408->36409 36410 16abe7b 36409->36410 36411 16ac138 RtlEncodePointer 36409->36411 36412 16ac189 RtlEncodePointer 36409->36412 36410->36410 36411->36410 36412->36410 36414 16abe69 36413->36414 36415 16abe7b 36413->36415 36416 16ac138 RtlEncodePointer 36414->36416 36417 16ac189 RtlEncodePointer 36414->36417 36416->36415 36417->36415 36419 16abd84 36418->36419 36420 16abe7b 36419->36420 36421 16ac138 RtlEncodePointer 36419->36421 36422 16ac189 RtlEncodePointer 36419->36422 36421->36420 36422->36420 36424 16ac156 36423->36424 36432 16ac198 36424->36432 36425 16ac166 36425->36405 36428 16ac192 36427->36428 36429 16ac132 36427->36429 36431 16ac198 RtlEncodePointer 36429->36431 36430 16ac166 36430->36405 36431->36430 36433 16ac1d2 36432->36433 36434 16ac1fc RtlEncodePointer 36433->36434 36435 16ac225 36433->36435 36434->36435 36435->36425 36436 16a5090 36437 16a50f8 CreateWindowExW 36436->36437 36439 16a51b4 36437->36439

                                                                          Executed Functions

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1525 55ab818-55ab87b 1526 55ab8aa-55ab8c8 1525->1526 1527 55ab87d-55ab8a7 1525->1527 1532 55ab8ca-55ab8cc 1526->1532 1533 55ab8d1-55ab908 1526->1533 1527->1526 1534 55abd8a-55abd9f 1532->1534 1537 55abd39 1533->1537 1538 55ab90e-55ab922 1533->1538 1541 55abd3e-55abd54 1537->1541 1539 55ab951-55ab970 1538->1539 1540 55ab924-55ab94e 1538->1540 1547 55ab988-55ab98a 1539->1547 1548 55ab972-55ab978 1539->1548 1540->1539 1541->1534 1552 55ab9a9-55ab9b2 1547->1552 1553 55ab98c-55ab9a4 1547->1553 1550 55ab97a 1548->1550 1551 55ab97c-55ab97e 1548->1551 1550->1547 1551->1547 1554 55ab9ba-55ab9c1 1552->1554 1553->1541 1555 55ab9cb-55ab9d2 1554->1555 1556 55ab9c3-55ab9c9 1554->1556 1558 55ab9dc 1555->1558 1559 55ab9d4-55ab9da 1555->1559 1557 55ab9df-55ab9fc call 55aa768 1556->1557 1562 55aba02-55aba09 1557->1562 1563 55abb51-55abb55 1557->1563 1558->1557 1559->1557 1562->1537 1564 55aba0f-55aba4c 1562->1564 1565 55abb5b-55abb5f 1563->1565 1566 55abd24-55abd37 1563->1566 1574 55abd1a-55abd1e 1564->1574 1575 55aba52-55aba57 1564->1575 1567 55abb79-55abb82 1565->1567 1568 55abb61-55abb74 1565->1568 1566->1541 1569 55abbb1-55abbb8 1567->1569 1570 55abb84-55abbae 1567->1570 1568->1541 1572 55abbbe-55abbc5 1569->1572 1573 55abc57-55abc6c 1569->1573 1570->1569 1577 55abbc7-55abbf1 1572->1577 1578 55abbf4-55abc16 1572->1578 1573->1574 1587 55abc72-55abc74 1573->1587 1574->1554 1574->1566 1579 55aba89-55aba9e call 55aa78c 1575->1579 1580 55aba59-55aba60 call 55aa774 1575->1580 1577->1578 1578->1573 1615 55abc18-55abc22 1578->1615 1585 55abaa3-55abaa7 1579->1585 1589 55aba65-55aba67 1580->1589 1590 55abb18-55abb25 1585->1590 1591 55abaa9-55ababb call 55aa798 1585->1591 1592 55abcc1-55abcde call 55aa768 1587->1592 1593 55abc76-55abcaf 1587->1593 1589->1579 1594 55aba69-55aba87 call 55aa780 1589->1594 1590->1574 1606 55abb2b-55abb35 call 55aa7a8 1590->1606 1618 55abafb-55abb13 1591->1618 1619 55ababd-55abaed 1591->1619 1592->1574 1605 55abce0-55abd0c WaitMessage 1592->1605 1609 55abcb8-55abcbf 1593->1609 1610 55abcb1-55abcb7 1593->1610 1594->1585 1612 55abd0e 1605->1612 1613 55abd13 1605->1613 1621 55abb37-55abb3f call 55aa7b4 1606->1621 1622 55abb44-55abb4c call 55aa7c0 1606->1622 1609->1574 1610->1609 1612->1613 1613->1574 1626 55abc3a-55abc55 1615->1626 1627 55abc24-55abc2a 1615->1627 1618->1541 1633 55abaef 1619->1633 1634 55abaf4 1619->1634 1621->1574 1622->1574 1626->1573 1626->1615 1631 55abc2e-55abc30 1627->1631 1632 55abc2c 1627->1632 1631->1626 1632->1626 1633->1634 1634->1618
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.910366590.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_55a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2dc3caf9d911d0a06829744df2659007d1092d7a6c46908a577ddcdaead7d351
                                                                          • Instruction ID: a339bd6b92828d55967b9ea7e901ff4beb9becd867e4673b560a4985b1f42e1d
                                                                          • Opcode Fuzzy Hash: 2dc3caf9d911d0a06829744df2659007d1092d7a6c46908a577ddcdaead7d351
                                                                          • Instruction Fuzzy Hash: 81F15C35A00249CFDB14DFA9C888BADBBF2FF88314F158569E406AF255DB74E945CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 016A69A0
                                                                          • GetCurrentThread.KERNEL32 ref: 016A69DD
                                                                          • GetCurrentProcess.KERNEL32 ref: 016A6A1A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 016A6A73
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID: l
                                                                          • API String ID: 2063062207-2517025534
                                                                          • Opcode ID: a0c93db5a06781cacf70650fcf3d4161900406c9b4f7d6a730a5f9ae76fa8eea
                                                                          • Instruction ID: d91f9cd86570b98d23d65eacaa233860c794ced89d0f8628e83e532ac125b7ae
                                                                          • Opcode Fuzzy Hash: a0c93db5a06781cacf70650fcf3d4161900406c9b4f7d6a730a5f9ae76fa8eea
                                                                          • Instruction Fuzzy Hash: D45163B09042898FEB15CFA9C988BEEBFF1EF89314F24849AE549A7250C7745844CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 016A69A0
                                                                          • GetCurrentThread.KERNEL32 ref: 016A69DD
                                                                          • GetCurrentProcess.KERNEL32 ref: 016A6A1A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 016A6A73
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 7012a599d432b15bd73103ec6b5318d61e451000151f2377e5cd80cf45664b6b
                                                                          • Instruction ID: 3351a7bad3e646cc97cf77310b663ef20340d85e3f77e8d6babaae30da1918a7
                                                                          • Opcode Fuzzy Hash: 7012a599d432b15bd73103ec6b5318d61e451000151f2377e5cd80cf45664b6b
                                                                          • Instruction Fuzzy Hash: 095133B0A002498FDB14CFAAD988BEEBBF1FF89314F248459E519A7350D7745844CF65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1637 131e238-131e243 1638 131e245-131e26c call 131daec 1637->1638 1639 131e26d-131e28c call 131daf8 1637->1639 1645 131e292-131e2f1 1639->1645 1646 131e28e-131e291 1639->1646 1653 131e2f3-131e2f6 1645->1653 1654 131e2f7-131e384 GlobalMemoryStatusEx 1645->1654 1659 131e386-131e38c 1654->1659 1660 131e38d-131e3b5 1654->1660 1659->1660
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906867919.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_1310000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3a5b9d8b6d2db2c4c87e7a3e7496a5f686cf52ccc7c9f80c80cafbfef9c68a7b
                                                                          • Instruction ID: 8ec5cc2e7d29ed3c5805332e51e994fceac2fe62845012f8f601636affab5585
                                                                          • Opcode Fuzzy Hash: 3a5b9d8b6d2db2c4c87e7a3e7496a5f686cf52ccc7c9f80c80cafbfef9c68a7b
                                                                          • Instruction Fuzzy Hash: 9A416472D043998FCB14CFB9D8142EEBBF4EF89224F05856AD904A7240DB789885CBE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1663 16a5084-16a50f6 1665 16a50f8-16a50fe 1663->1665 1666 16a5101-16a5108 1663->1666 1665->1666 1667 16a510a-16a5110 1666->1667 1668 16a5113-16a514b 1666->1668 1667->1668 1669 16a5153-16a51b2 CreateWindowExW 1668->1669 1670 16a51bb-16a51f3 1669->1670 1671 16a51b4-16a51ba 1669->1671 1675 16a5200 1670->1675 1676 16a51f5-16a51f8 1670->1676 1671->1670 1677 16a5201 1675->1677 1676->1675 1677->1677
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016A51A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: d6d46c3c72797bb746ab875bf4c2a2e31228e809dfa11e99202e7565d7f9be26
                                                                          • Instruction ID: 18c1d2ff202244ec0b9bc90b5421fe0d79372111b00f503947c9a4b8f9fad98f
                                                                          • Opcode Fuzzy Hash: d6d46c3c72797bb746ab875bf4c2a2e31228e809dfa11e99202e7565d7f9be26
                                                                          • Instruction Fuzzy Hash: 4D51D0B1D103499FDB14CF99C884AEEBFB5FF48314F64812AE819AB210D775A885CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1678 16a5090-16a50f6 1679 16a50f8-16a50fe 1678->1679 1680 16a5101-16a5108 1678->1680 1679->1680 1681 16a510a-16a5110 1680->1681 1682 16a5113-16a51b2 CreateWindowExW 1680->1682 1681->1682 1684 16a51bb-16a51f3 1682->1684 1685 16a51b4-16a51ba 1682->1685 1689 16a5200 1684->1689 1690 16a51f5-16a51f8 1684->1690 1685->1684 1691 16a5201 1689->1691 1690->1689 1691->1691
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016A51A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 1936afb7143f9aa0a11ba905c850b760554b9f75f55b1f7a4e098977687312d0
                                                                          • Instruction ID: 71b8e85388dcb7ff996009674e01ed1868dbabd96e6e01e052c8d726f02997a0
                                                                          • Opcode Fuzzy Hash: 1936afb7143f9aa0a11ba905c850b760554b9f75f55b1f7a4e098977687312d0
                                                                          • Instruction Fuzzy Hash: 8641BFB1D103499FDB14CF99C884AEEBBB5FF48314F64812AE819AB310D7B5A945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1692 16a779c-16a7e7c 1695 16a7f2c-16a7f4c call 16a359c 1692->1695 1696 16a7e82-16a7e87 1692->1696 1703 16a7f4f-16a7f5c 1695->1703 1698 16a7eda-16a7f12 CallWindowProcW 1696->1698 1699 16a7e89-16a7ec0 1696->1699 1701 16a7f1b-16a7f2a 1698->1701 1702 16a7f14-16a7f1a 1698->1702 1706 16a7ec9-16a7ed8 1699->1706 1707 16a7ec2-16a7ec8 1699->1707 1701->1703 1702->1701 1706->1703 1707->1706
                                                                          APIs
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 016A7F01
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: CallProcWindow
                                                                          • String ID:
                                                                          • API String ID: 2714655100-0
                                                                          • Opcode ID: 4233a6c76134e86c300ee490a8c87af9e2153c2a58d68d43767cc239a4f99d82
                                                                          • Instruction ID: cb7a7a0b533d7601eb27b59e040a5d44762fa32dff070c7676a3c00261f99bda
                                                                          • Opcode Fuzzy Hash: 4233a6c76134e86c300ee490a8c87af9e2153c2a58d68d43767cc239a4f99d82
                                                                          • Instruction Fuzzy Hash: 3F4118B5900209CFDB14CF99C888AABBBF5FB88314F148499E519AB321D775AD41CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1709 16a6b61-16a6bfc DuplicateHandle 1710 16a6bfe-16a6c04 1709->1710 1711 16a6c05-16a6c22 1709->1711 1710->1711
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016A6BEF
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 17fe979c4e9827639fa8f32f012504772fbfeb16d9c22f528e9caf892f5026eb
                                                                          • Instruction ID: 8fe1f48accb9fd868deb33e0ac7b03783b8007ecfedb31bb2fe0f3534e4163f8
                                                                          • Opcode Fuzzy Hash: 17fe979c4e9827639fa8f32f012504772fbfeb16d9c22f528e9caf892f5026eb
                                                                          • Instruction Fuzzy Hash: 4121EFB59002499FDB10CFA9D984AEEBFF4FF48324F15842AE955A3310D378A954CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1714 16a6b68-16a6bfc DuplicateHandle 1715 16a6bfe-16a6c04 1714->1715 1716 16a6c05-16a6c22 1714->1716 1715->1716
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016A6BEF
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: c340879bc18af7ee791822c8faf2a7a8ab1cd54598c62a7bf0ad4463014562dd
                                                                          • Instruction ID: 36d8b50a00fe63d8fbb178a193119d638fcbc3b8563da8eb908d56d5ab16b8f9
                                                                          • Opcode Fuzzy Hash: c340879bc18af7ee791822c8faf2a7a8ab1cd54598c62a7bf0ad4463014562dd
                                                                          • Instruction Fuzzy Hash: DC21D5B5D002499FDB10CF99D984ADEFBF4FB48324F14841AE915A3310D374A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,055A7B19,00000800), ref: 055A7BAA
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.910366590.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_55a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 2461f7e23e5e6cb663643c25015976ffb59207e89ff8003d6550b383644abeaf
                                                                          • Instruction ID: 8a6586b73ce3acb36169430b8f007eee21d1927aabb9e58f60f1684fb35ff10d
                                                                          • Opcode Fuzzy Hash: 2461f7e23e5e6cb663643c25015976ffb59207e89ff8003d6550b383644abeaf
                                                                          • Instruction Fuzzy Hash: E01114B69042098FCB10CF9AC844BDEFBF4FB88324F04842AE515A7700D3B5A945CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0131E28A), ref: 0131E377
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906867919.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_1310000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemoryStatus
                                                                          • String ID:
                                                                          • API String ID: 1890195054-0
                                                                          • Opcode ID: 9c0781c855aa2c1e3ebed1180ec0080048e01a24b17d5c65baddd20944b7182d
                                                                          • Instruction ID: cff3cf026f6b99f21f52f36bf4842b113b37a63f5c0c9c6976ba8d1454e428e1
                                                                          • Opcode Fuzzy Hash: 9c0781c855aa2c1e3ebed1180ec0080048e01a24b17d5c65baddd20944b7182d
                                                                          • Instruction Fuzzy Hash: 0C1133B1C006599BCB10CF9AC444BAEFBF4AB48324F05852AE914B7200D379A954CFE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 016AC212
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: 089f380ca56989692a67325dfe166ff47c23471920ab90d7ec3cdbee7072829c
                                                                          • Instruction ID: 6d46cc92e4050a9c0732eb8f8422b651b505384dff0e1b43bcdb64418b38f332
                                                                          • Opcode Fuzzy Hash: 089f380ca56989692a67325dfe166ff47c23471920ab90d7ec3cdbee7072829c
                                                                          • Instruction Fuzzy Hash: 40117C709003098FDF10DFA9D9487AEBBF4FB49328F10882AD405A7741D7796954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0131E28A), ref: 0131E377
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906867919.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_1310000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemoryStatus
                                                                          • String ID:
                                                                          • API String ID: 1890195054-0
                                                                          • Opcode ID: fc6b0cf6d659d6c639373debc6504022499488551a58914a4ac952940dc774e6
                                                                          • Instruction ID: f75383c8d29c0ffe5e1e941ee2269caf1e039d127dfb0480575ffb154e38e4f2
                                                                          • Opcode Fuzzy Hash: fc6b0cf6d659d6c639373debc6504022499488551a58914a4ac952940dc774e6
                                                                          • Instruction Fuzzy Hash: D31103B1C0061A9FCB10CF9AC444B9EFBF4BF48324F05852AE814A7240D3B9A955CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,055A7B19,00000800), ref: 055A7BAA
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.910366590.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_55a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 91b337d4c1e30fc8bf50f5e45ce01bf2d2c878fb8a672bf133465511f6175448
                                                                          • Instruction ID: 1f296a34d83b638498b60829fdb881e08ca3994840684700484c779bd3c9e89d
                                                                          • Opcode Fuzzy Hash: 91b337d4c1e30fc8bf50f5e45ce01bf2d2c878fb8a672bf133465511f6175448
                                                                          • Instruction Fuzzy Hash: B111E2B6D102098FDB10CF9AD484AEEFBF4FB88324F14842EE415A7600C3B5A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 016A4116
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: c66bf21e6c58a820f7484196370925c9e6e607adae7f415b1da373022fb9ec25
                                                                          • Instruction ID: d77914c7d93856afd365bfec47acb9e068759986c8e8f8d4e9eba0e7676bfddf
                                                                          • Opcode Fuzzy Hash: c66bf21e6c58a820f7484196370925c9e6e607adae7f415b1da373022fb9ec25
                                                                          • Instruction Fuzzy Hash: 3D1123B28006498FDB10CF9AC848ADEFBF4EF49224F04842AD418B7600D7B8A546CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 016A4116
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907265330.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_16a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 1a13cc307cfeaf8cb2f27f2525f8809a912de59d97d3f267c16f3013a20dbc18
                                                                          • Instruction ID: 2a4b16d6908e89859a2ec5c438b51b1ac9e55b221c42429247e86f2daf2d9e6d
                                                                          • Opcode Fuzzy Hash: 1a13cc307cfeaf8cb2f27f2525f8809a912de59d97d3f267c16f3013a20dbc18
                                                                          • Instruction Fuzzy Hash: 9E1134B1D002498FDB10CF9AC844BEEFBF4EB49224F04842AD829B7700D7B5A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • OleInitialize.OLE32(00000000), ref: 055AB655
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.910366590.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_55a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: Initialize
                                                                          • String ID:
                                                                          • API String ID: 2538663250-0
                                                                          • Opcode ID: a3faadcb09fe1edc34bdd30f3df1f7b8851f392c7c06a065720bb08d652c0777
                                                                          • Instruction ID: 6957bb448a2b68aafc952a2142cf43a5b0c3cd8a61dbbe48439e556265bb98eb
                                                                          • Opcode Fuzzy Hash: a3faadcb09fe1edc34bdd30f3df1f7b8851f392c7c06a065720bb08d652c0777
                                                                          • Instruction Fuzzy Hash: 221115B59002498FCB10DF99D588BDEBBF4FB88324F148519E519A7700D379A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          APIs
                                                                          • OleInitialize.OLE32(00000000), ref: 055AB655
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.910366590.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_55a0000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID: Initialize
                                                                          • String ID:
                                                                          • API String ID: 2538663250-0
                                                                          • Opcode ID: 42569e80a6cb4edfb5dbaada1ce281af1d62203831501b38654431a81adf409f
                                                                          • Instruction ID: 49a844b5a087b0f534894ed32775dcba2c50c0a6dcacf305b6e08b5bf8662458
                                                                          • Opcode Fuzzy Hash: 42569e80a6cb4edfb5dbaada1ce281af1d62203831501b38654431a81adf409f
                                                                          • Instruction Fuzzy Hash: A61133B18042488FCB20CF99C888BDEBBF4FB48324F148419E519A3700C375A944CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906995971.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_13ad000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 95e289431c0d2087692f132c7ae660d00cb68b1218e33f5cfb703885c20674fb
                                                                          • Instruction ID: 4a3dcf9d27e85b511b8335bac005f5704670aafb5a1d5432caa7f88c95bed3f4
                                                                          • Opcode Fuzzy Hash: 95e289431c0d2087692f132c7ae660d00cb68b1218e33f5cfb703885c20674fb
                                                                          • Instruction Fuzzy Hash: D82167B2504204DFCB05DF44D8C0F26BFA5FB8832CF648569E9494BA06C336D846CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906995971.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_13ad000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e6204b5ddf4287fa10a91503f375abb84f0eae5fc4aedb100594f14e4ef9547d
                                                                          • Instruction ID: 327e79b9f3286a902c98f62316b498b8aecd35dae11690a864a60e68fd21b966
                                                                          • Opcode Fuzzy Hash: e6204b5ddf4287fa10a91503f375abb84f0eae5fc4aedb100594f14e4ef9547d
                                                                          • Instruction Fuzzy Hash: 602130B2504204EFDB05DF54D8C0B67BFA5FB88328F648569E9055BA0AC736E846CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907037470.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_13bd000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e168609fe060e3e5d86be1a476dcbb81953dec217af587a4816fd89b358c2ace
                                                                          • Instruction ID: 5baadc2750b82ac0495231d215217ce77dbf52c370b6ce32abfe4b4ac8d4f6ba
                                                                          • Opcode Fuzzy Hash: e168609fe060e3e5d86be1a476dcbb81953dec217af587a4816fd89b358c2ace
                                                                          • Instruction Fuzzy Hash: 972167B1504204DFCB14CF54D8C0B56BBA5FB8835CF24C56DDA094BA46D336D807CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.907037470.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_13bd000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 27c023411cc8ab8bdffe426ea06d52f5d6067c59e7c47bddf024ce259c87edb4
                                                                          • Instruction ID: 9845ff7e8d7775b003d35cae9367ee7c2edd34b1e08ca61c707e06a1743cf1a9
                                                                          • Opcode Fuzzy Hash: 27c023411cc8ab8bdffe426ea06d52f5d6067c59e7c47bddf024ce259c87edb4
                                                                          • Instruction Fuzzy Hash: 7721B0714083809FCB02CF24D9D4B11BF71EB46318F28C5DAD8498F667C33A9806CB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906995971.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_13ad000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                                          • Instruction ID: 5dd1dd011f758e3a73b202963d7dd1a41cfbe1748b241a068af6818ed4318494
                                                                          • Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                                          • Instruction Fuzzy Hash: BA11D376504280CFCB16CF54D5C4B16BF72FB88328F28C6A9D8494B617C336D456CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.906995971.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_13ad000_svchost[1].jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                                          • Instruction ID: e69b8d87f847571fae3fd64ad60dc4258cdfa97c3648f5ebfe8fa2f1dc7fad31
                                                                          • Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                                          • Instruction Fuzzy Hash: 3311BE76504280CFDB16CF54D9C4B16BF71FB88328F2886A9D8450BA17C33AD45ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions