Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Confirmation Slip.exe

Overview

General Information

Sample name:Payment Confirmation Slip.exe
Analysis ID:1545975
MD5:8a50c784517f5b8d4b6a6fdb5a76f6a6
SHA1:e4c903fc2a82f5d83ca3a92adc70b9be988f8913
SHA256:2dd8b8b30d3de0df7b78c07018e7c80d95f750ba56d65f8c38bce76e5b232a00
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment Confirmation Slip.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\Payment Confirmation Slip.exe" MD5: 8A50C784517F5B8D4B6A6FDB5A76F6A6)
    • svchost.exe (PID: 8056 cmdline: "C:\Users\user\Desktop\Payment Confirmation Slip.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f4f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c050:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.svchost.exe.600000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        5.2.svchost.exe.600000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e6f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16862:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        5.2.svchost.exe.600000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.svchost.exe.600000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f4f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", CommandLine: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", CommandLine|base64offset|contains: *', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", ParentImage: C:\Users\user\Desktop\Payment Confirmation Slip.exe, ParentProcessId: 7412, ParentProcessName: Payment Confirmation Slip.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", ProcessId: 8056, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", CommandLine: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", CommandLine|base64offset|contains: *', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", ParentImage: C:\Users\user\Desktop\Payment Confirmation Slip.exe, ParentProcessId: 7412, ParentProcessName: Payment Confirmation Slip.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Confirmation Slip.exe", ProcessId: 8056, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:03:58.821357+010020229301A Network Trojan was detected52.149.20.212443192.168.2.449730TCP
          2024-10-31T11:04:27.582374+010020229301A Network Trojan was detected52.149.20.212443192.168.2.461003TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Payment Confirmation Slip.exeReversingLabs: Detection: 55%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Payment Confirmation Slip.exeJoe Sandbox ML: detected
          Source: Payment Confirmation Slip.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000005.00000003.2987839658.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2989841559.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000005.00000003.2987839658.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2989841559.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:61003
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49730

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.svchost.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Payment Confirmation Slip.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0062C7B3 NtClose,5_2_0062C7B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C735C0 NtCreateMutant,LdrInitializeThunk,5_2_00C735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72B60 NtClose,LdrInitializeThunk,5_2_00C72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_00C72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C73090 NtSetValueKey,5_2_00C73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C73010 NtOpenDirectoryObject,5_2_00C73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C74340 NtSetContextThread,5_2_00C74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C74650 NtSuspendThread,5_2_00C74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C739B0 NtGetContextThread,5_2_00C739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72AD0 NtReadFile,5_2_00C72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72AF0 NtWriteFile,5_2_00C72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72AB0 NtWaitForSingleObject,5_2_00C72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72BE0 NtQueryValueKey,5_2_00C72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72BF0 NtAllocateVirtualMemory,5_2_00C72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72B80 NtQueryInformationFile,5_2_00C72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72BA0 NtEnumerateValueKey,5_2_00C72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72CC0 NtQueryVirtualMemory,5_2_00C72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72CF0 NtOpenProcess,5_2_00C72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72CA0 NtQueryInformationToken,5_2_00C72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72C60 NtCreateKey,5_2_00C72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72C70 NtFreeVirtualMemory,5_2_00C72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72C00 NtQueryInformationProcess,5_2_00C72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72DD0 NtDelayExecution,5_2_00C72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72DB0 NtEnumerateKey,5_2_00C72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C73D70 NtOpenThread,5_2_00C73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72D00 NtSetInformationFile,5_2_00C72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72D10 NtMapViewOfSection,5_2_00C72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C73D10 NtOpenProcessToken,5_2_00C73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72D30 NtUnmapViewOfSection,5_2_00C72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72EE0 NtQueueApcThread,5_2_00C72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72E80 NtReadVirtualMemory,5_2_00C72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72EA0 NtAdjustPrivilegesToken,5_2_00C72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72E30 NtWriteVirtualMemory,5_2_00C72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72FE0 NtCreateFile,5_2_00C72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72F90 NtProtectVirtualMemory,5_2_00C72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72FA0 NtQuerySection,5_2_00C72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72FB0 NtResumeThread,5_2_00C72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72F60 NtCreateProcessEx,5_2_00C72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C72F30 NtCreateSection,5_2_00C72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006100B35_2_006100B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006169CE5_2_006169CE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006169D35_2_006169D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006032205_2_00603220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006012005_2_00601200
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006102D35_2_006102D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0060E3535_2_0060E353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0062D3135_2_0062D313
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00601C255_2_00601C25
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00602CD85_2_00602CD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0062EDE35_2_0062EDE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006026605_2_00602660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEF0CC5_2_00CEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C05_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF70E95_2_00CF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFF0E05_2_00CFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF81CC5_2_00CF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4B1B05_2_00C4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D001AA5_2_00D001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C7516C5_2_00C7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F1725_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D0B16B5_2_00D0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C301005_2_00C30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDA1185_2_00CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C05_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C452A05_2_00C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE02745_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E3F05_2_00C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D003E65_2_00D003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C8739A5_2_00C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2D34C5_2_00C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFA3525_2_00CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF132D5_2_00CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEE4F65_2_00CEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF24465_2_00CF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C314605_2_00C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFF43F5_2_00CFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D005915_2_00D00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDD5B05_2_00CDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF75715_2_00CF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C405355_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF16CC5_2_00CF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5C6E05_2_00C5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3C7C05_2_00C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFF7B05_2_00CFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C647505_2_00C64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C407705_2_00C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C438E05_2_00C438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E8F05_2_00C6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C268B85_2_00C268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C428405_2_00C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4A8405_2_00C4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD8005_2_00CAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C429A05_2_00C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D0A9A65_2_00D0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C499505_2_00C49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B9505_2_00C5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C569625_2_00C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEDAC65_2_00CEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3EA805_2_00C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDDAAC5_2_00CDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C85AA05_2_00C85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFFA495_2_00CFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF7A465_2_00CF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB3A6C5_2_00CB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF6BD75_2_00CF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C7DBF95_2_00C7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5FB805_2_00C5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFAB405_2_00CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFFB765_2_00CFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C30CF25_2_00C30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFFCF25_2_00CFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0CB55_2_00CE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40C005_2_00C40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB9C325_2_00CB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5FDC05_2_00C5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3ADE05_2_00C3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C58DBF5_2_00C58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C43D405_2_00C43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF1D5A5_2_00CF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF7D735_2_00CF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4AD005_2_00C4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFEEDB5_2_00CFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C52E905_2_00C52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFCE935_2_00CFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C49EB05_2_00C49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40E595_2_00C40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFEE265_2_00CFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C32FC85_2_00C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41F925_2_00C41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFFFB15_2_00CFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB4F405_2_00CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFFF095_2_00CFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C82F285_2_00C82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C60F305_2_00C60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00C87E54 appears 87 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00C2B970 appears 253 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00C75130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00CBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00CAEA12 appears 85 times
          Source: Payment Confirmation Slip.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 5.2.svchost.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal88.troj.evad.winEXE@3/1@0/0
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeFile created: C:\Users\user\AppData\Local\Temp\eupolyzoanJump to behavior
          Source: Payment Confirmation Slip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Payment Confirmation Slip.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeFile read: C:\Users\user\Desktop\Payment Confirmation Slip.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Confirmation Slip.exe "C:\Users\user\Desktop\Payment Confirmation Slip.exe"
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Confirmation Slip.exe"
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Confirmation Slip.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Payment Confirmation Slip.exeStatic file information: File size 1325849 > 1048576
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000005.00000003.2987839658.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2989841559.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000005.00000003.2987839658.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2989841559.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Payment Confirmation Slip.exeStatic PE information: real checksum: 0xa2135 should be: 0x146906
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0061A862 pushad ; iretd 5_2_0061A86D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00622882 push esi; retn 0000h5_2_0062288A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0060C9FD pushad ; ret 5_2_0060C9FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0061EAAC push esp; retf 5_2_0061EAB6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0060AB63 push es; ret 5_2_0060AB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0060AB22 push es; ret 5_2_0060AB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00615C63 push esi; iretd 5_2_00615C6E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00614CD7 push ebx; ret 5_2_00614CD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_006034A0 push eax; ret 5_2_006034A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00618D33 push ecx; retf 5_2_00618D7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00601759 push 00000028h; ret 5_2_0060175B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C309AD push ecx; mov dword ptr [esp], ecx5_2_00C309B6
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeAPI/Special instruction interceptor: Address: 410325C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD1C0 rdtsc 5_2_00CAD1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 8060Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD1C0 rdtsc 5_2_00CAD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00617983 LdrLoadDll,5_2_00617983
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov ecx, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov ecx, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov ecx, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov ecx, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C470C0 mov eax, dword ptr fs:[00000030h]5_2_00C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D050D9 mov eax, dword ptr fs:[00000030h]5_2_00D050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD0C0 mov eax, dword ptr fs:[00000030h]5_2_00CAD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD0C0 mov eax, dword ptr fs:[00000030h]5_2_00CAD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB20DE mov eax, dword ptr fs:[00000030h]5_2_00CB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C590DB mov eax, dword ptr fs:[00000030h]5_2_00C590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C550E4 mov eax, dword ptr fs:[00000030h]5_2_00C550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C550E4 mov ecx, dword ptr fs:[00000030h]5_2_00C550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2A0E3 mov ecx, dword ptr fs:[00000030h]5_2_00C2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C380E9 mov eax, dword ptr fs:[00000030h]5_2_00C380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2C0F0 mov eax, dword ptr fs:[00000030h]5_2_00C2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C720F0 mov ecx, dword ptr fs:[00000030h]5_2_00C720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3208A mov eax, dword ptr fs:[00000030h]5_2_00C3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2D08D mov eax, dword ptr fs:[00000030h]5_2_00C2D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C35096 mov eax, dword ptr fs:[00000030h]5_2_00C35096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5D090 mov eax, dword ptr fs:[00000030h]5_2_00C5D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5D090 mov eax, dword ptr fs:[00000030h]5_2_00C5D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6909C mov eax, dword ptr fs:[00000030h]5_2_00C6909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF60B8 mov eax, dword ptr fs:[00000030h]5_2_00CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF60B8 mov ecx, dword ptr fs:[00000030h]5_2_00CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C32050 mov eax, dword ptr fs:[00000030h]5_2_00C32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CD705E mov ebx, dword ptr fs:[00000030h]5_2_00CD705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CD705E mov eax, dword ptr fs:[00000030h]5_2_00CD705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B052 mov eax, dword ptr fs:[00000030h]5_2_00C5B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D05060 mov eax, dword ptr fs:[00000030h]5_2_00D05060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov ecx, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C41070 mov eax, dword ptr fs:[00000030h]5_2_00C41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5C073 mov eax, dword ptr fs:[00000030h]5_2_00C5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD070 mov ecx, dword ptr fs:[00000030h]5_2_00CAD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E016 mov eax, dword ptr fs:[00000030h]5_2_00C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E016 mov eax, dword ptr fs:[00000030h]5_2_00C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E016 mov eax, dword ptr fs:[00000030h]5_2_00C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E016 mov eax, dword ptr fs:[00000030h]5_2_00C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2A020 mov eax, dword ptr fs:[00000030h]5_2_00C2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2C020 mov eax, dword ptr fs:[00000030h]5_2_00C2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF903E mov eax, dword ptr fs:[00000030h]5_2_00CF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF903E mov eax, dword ptr fs:[00000030h]5_2_00CF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF903E mov eax, dword ptr fs:[00000030h]5_2_00CF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF903E mov eax, dword ptr fs:[00000030h]5_2_00CF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF61C3 mov eax, dword ptr fs:[00000030h]5_2_00CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF61C3 mov eax, dword ptr fs:[00000030h]5_2_00CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6D1D0 mov eax, dword ptr fs:[00000030h]5_2_00C6D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6D1D0 mov ecx, dword ptr fs:[00000030h]5_2_00C6D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAE1D0 mov eax, dword ptr fs:[00000030h]5_2_00CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAE1D0 mov eax, dword ptr fs:[00000030h]5_2_00CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAE1D0 mov ecx, dword ptr fs:[00000030h]5_2_00CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAE1D0 mov eax, dword ptr fs:[00000030h]5_2_00CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAE1D0 mov eax, dword ptr fs:[00000030h]5_2_00CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D051CB mov eax, dword ptr fs:[00000030h]5_2_00D051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C551EF mov eax, dword ptr fs:[00000030h]5_2_00C551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C351ED mov eax, dword ptr fs:[00000030h]5_2_00C351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D061E5 mov eax, dword ptr fs:[00000030h]5_2_00D061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C601F8 mov eax, dword ptr fs:[00000030h]5_2_00C601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C70185 mov eax, dword ptr fs:[00000030h]5_2_00C70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEC188 mov eax, dword ptr fs:[00000030h]5_2_00CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEC188 mov eax, dword ptr fs:[00000030h]5_2_00CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB019F mov eax, dword ptr fs:[00000030h]5_2_00CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB019F mov eax, dword ptr fs:[00000030h]5_2_00CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB019F mov eax, dword ptr fs:[00000030h]5_2_00CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB019F mov eax, dword ptr fs:[00000030h]5_2_00CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2A197 mov eax, dword ptr fs:[00000030h]5_2_00C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2A197 mov eax, dword ptr fs:[00000030h]5_2_00C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2A197 mov eax, dword ptr fs:[00000030h]5_2_00C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C87190 mov eax, dword ptr fs:[00000030h]5_2_00C87190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE11A4 mov eax, dword ptr fs:[00000030h]5_2_00CE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE11A4 mov eax, dword ptr fs:[00000030h]5_2_00CE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE11A4 mov eax, dword ptr fs:[00000030h]5_2_00CE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE11A4 mov eax, dword ptr fs:[00000030h]5_2_00CE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4B1B0 mov eax, dword ptr fs:[00000030h]5_2_00C4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D05152 mov eax, dword ptr fs:[00000030h]5_2_00D05152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC4144 mov eax, dword ptr fs:[00000030h]5_2_00CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC4144 mov eax, dword ptr fs:[00000030h]5_2_00CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC4144 mov ecx, dword ptr fs:[00000030h]5_2_00CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC4144 mov eax, dword ptr fs:[00000030h]5_2_00CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC4144 mov eax, dword ptr fs:[00000030h]5_2_00CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29148 mov eax, dword ptr fs:[00000030h]5_2_00C29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29148 mov eax, dword ptr fs:[00000030h]5_2_00C29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29148 mov eax, dword ptr fs:[00000030h]5_2_00C29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29148 mov eax, dword ptr fs:[00000030h]5_2_00C29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C37152 mov eax, dword ptr fs:[00000030h]5_2_00C37152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2C156 mov eax, dword ptr fs:[00000030h]5_2_00C2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C36154 mov eax, dword ptr fs:[00000030h]5_2_00C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C36154 mov eax, dword ptr fs:[00000030h]5_2_00C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2F172 mov eax, dword ptr fs:[00000030h]5_2_00C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC9179 mov eax, dword ptr fs:[00000030h]5_2_00CC9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDA118 mov ecx, dword ptr fs:[00000030h]5_2_00CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDA118 mov eax, dword ptr fs:[00000030h]5_2_00CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDA118 mov eax, dword ptr fs:[00000030h]5_2_00CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDA118 mov eax, dword ptr fs:[00000030h]5_2_00CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF0115 mov eax, dword ptr fs:[00000030h]5_2_00CF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C60124 mov eax, dword ptr fs:[00000030h]5_2_00C60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31131 mov eax, dword ptr fs:[00000030h]5_2_00C31131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31131 mov eax, dword ptr fs:[00000030h]5_2_00C31131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B136 mov eax, dword ptr fs:[00000030h]5_2_00C2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B136 mov eax, dword ptr fs:[00000030h]5_2_00C2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B136 mov eax, dword ptr fs:[00000030h]5_2_00C2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B136 mov eax, dword ptr fs:[00000030h]5_2_00C2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A2C3 mov eax, dword ptr fs:[00000030h]5_2_00C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A2C3 mov eax, dword ptr fs:[00000030h]5_2_00C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A2C3 mov eax, dword ptr fs:[00000030h]5_2_00C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A2C3 mov eax, dword ptr fs:[00000030h]5_2_00C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A2C3 mov eax, dword ptr fs:[00000030h]5_2_00C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5B2C0 mov eax, dword ptr fs:[00000030h]5_2_00C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C392C5 mov eax, dword ptr fs:[00000030h]5_2_00C392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C392C5 mov eax, dword ptr fs:[00000030h]5_2_00C392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B2D3 mov eax, dword ptr fs:[00000030h]5_2_00C2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B2D3 mov eax, dword ptr fs:[00000030h]5_2_00C2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B2D3 mov eax, dword ptr fs:[00000030h]5_2_00C2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F2D0 mov eax, dword ptr fs:[00000030h]5_2_00C5F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F2D0 mov eax, dword ptr fs:[00000030h]5_2_00C5F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE12ED mov eax, dword ptr fs:[00000030h]5_2_00CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C402E1 mov eax, dword ptr fs:[00000030h]5_2_00C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C402E1 mov eax, dword ptr fs:[00000030h]5_2_00C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C402E1 mov eax, dword ptr fs:[00000030h]5_2_00C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D052E2 mov eax, dword ptr fs:[00000030h]5_2_00D052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEF2F8 mov eax, dword ptr fs:[00000030h]5_2_00CEF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C292FF mov eax, dword ptr fs:[00000030h]5_2_00C292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E284 mov eax, dword ptr fs:[00000030h]5_2_00C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E284 mov eax, dword ptr fs:[00000030h]5_2_00C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB0283 mov eax, dword ptr fs:[00000030h]5_2_00CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB0283 mov eax, dword ptr fs:[00000030h]5_2_00CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB0283 mov eax, dword ptr fs:[00000030h]5_2_00CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D05283 mov eax, dword ptr fs:[00000030h]5_2_00D05283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6329E mov eax, dword ptr fs:[00000030h]5_2_00C6329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6329E mov eax, dword ptr fs:[00000030h]5_2_00C6329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C402A0 mov eax, dword ptr fs:[00000030h]5_2_00C402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C402A0 mov eax, dword ptr fs:[00000030h]5_2_00C402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C452A0 mov eax, dword ptr fs:[00000030h]5_2_00C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C452A0 mov eax, dword ptr fs:[00000030h]5_2_00C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C452A0 mov eax, dword ptr fs:[00000030h]5_2_00C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C452A0 mov eax, dword ptr fs:[00000030h]5_2_00C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF92A6 mov eax, dword ptr fs:[00000030h]5_2_00CF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF92A6 mov eax, dword ptr fs:[00000030h]5_2_00CF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF92A6 mov eax, dword ptr fs:[00000030h]5_2_00CF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF92A6 mov eax, dword ptr fs:[00000030h]5_2_00CF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC62A0 mov eax, dword ptr fs:[00000030h]5_2_00CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC62A0 mov ecx, dword ptr fs:[00000030h]5_2_00CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC62A0 mov eax, dword ptr fs:[00000030h]5_2_00CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC62A0 mov eax, dword ptr fs:[00000030h]5_2_00CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC62A0 mov eax, dword ptr fs:[00000030h]5_2_00CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC62A0 mov eax, dword ptr fs:[00000030h]5_2_00CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC72A0 mov eax, dword ptr fs:[00000030h]5_2_00CC72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC72A0 mov eax, dword ptr fs:[00000030h]5_2_00CC72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB92BC mov eax, dword ptr fs:[00000030h]5_2_00CB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB92BC mov eax, dword ptr fs:[00000030h]5_2_00CB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB92BC mov ecx, dword ptr fs:[00000030h]5_2_00CB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB92BC mov ecx, dword ptr fs:[00000030h]5_2_00CB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29240 mov eax, dword ptr fs:[00000030h]5_2_00C29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29240 mov eax, dword ptr fs:[00000030h]5_2_00C29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6724D mov eax, dword ptr fs:[00000030h]5_2_00C6724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2A250 mov eax, dword ptr fs:[00000030h]5_2_00C2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEB256 mov eax, dword ptr fs:[00000030h]5_2_00CEB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEB256 mov eax, dword ptr fs:[00000030h]5_2_00CEB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C36259 mov eax, dword ptr fs:[00000030h]5_2_00C36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C34260 mov eax, dword ptr fs:[00000030h]5_2_00C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C34260 mov eax, dword ptr fs:[00000030h]5_2_00C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C34260 mov eax, dword ptr fs:[00000030h]5_2_00C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFD26B mov eax, dword ptr fs:[00000030h]5_2_00CFD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFD26B mov eax, dword ptr fs:[00000030h]5_2_00CFD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2826B mov eax, dword ptr fs:[00000030h]5_2_00C2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C59274 mov eax, dword ptr fs:[00000030h]5_2_00C59274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C71270 mov eax, dword ptr fs:[00000030h]5_2_00C71270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C71270 mov eax, dword ptr fs:[00000030h]5_2_00C71270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CE0274 mov eax, dword ptr fs:[00000030h]5_2_00CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C67208 mov eax, dword ptr fs:[00000030h]5_2_00C67208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C67208 mov eax, dword ptr fs:[00000030h]5_2_00C67208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D05227 mov eax, dword ptr fs:[00000030h]5_2_00D05227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2823B mov eax, dword ptr fs:[00000030h]5_2_00C2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEC3CD mov eax, dword ptr fs:[00000030h]5_2_00CEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A3C0 mov eax, dword ptr fs:[00000030h]5_2_00C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A3C0 mov eax, dword ptr fs:[00000030h]5_2_00C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A3C0 mov eax, dword ptr fs:[00000030h]5_2_00C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A3C0 mov eax, dword ptr fs:[00000030h]5_2_00C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A3C0 mov eax, dword ptr fs:[00000030h]5_2_00C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3A3C0 mov eax, dword ptr fs:[00000030h]5_2_00C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C383C0 mov eax, dword ptr fs:[00000030h]5_2_00C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C383C0 mov eax, dword ptr fs:[00000030h]5_2_00C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C383C0 mov eax, dword ptr fs:[00000030h]5_2_00C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C383C0 mov eax, dword ptr fs:[00000030h]5_2_00C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEB3D0 mov ecx, dword ptr fs:[00000030h]5_2_00CEB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEF3E6 mov eax, dword ptr fs:[00000030h]5_2_00CEF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D053FC mov eax, dword ptr fs:[00000030h]5_2_00D053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C403E9 mov eax, dword ptr fs:[00000030h]5_2_00C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E3F0 mov eax, dword ptr fs:[00000030h]5_2_00C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E3F0 mov eax, dword ptr fs:[00000030h]5_2_00C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4E3F0 mov eax, dword ptr fs:[00000030h]5_2_00C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C663FF mov eax, dword ptr fs:[00000030h]5_2_00C663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2E388 mov eax, dword ptr fs:[00000030h]5_2_00C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2E388 mov eax, dword ptr fs:[00000030h]5_2_00C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2E388 mov eax, dword ptr fs:[00000030h]5_2_00C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5438F mov eax, dword ptr fs:[00000030h]5_2_00C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5438F mov eax, dword ptr fs:[00000030h]5_2_00C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D0539D mov eax, dword ptr fs:[00000030h]5_2_00D0539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C8739A mov eax, dword ptr fs:[00000030h]5_2_00C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C8739A mov eax, dword ptr fs:[00000030h]5_2_00C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C28397 mov eax, dword ptr fs:[00000030h]5_2_00C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C28397 mov eax, dword ptr fs:[00000030h]5_2_00C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C28397 mov eax, dword ptr fs:[00000030h]5_2_00C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C533A5 mov eax, dword ptr fs:[00000030h]5_2_00C533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C633A0 mov eax, dword ptr fs:[00000030h]5_2_00C633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C633A0 mov eax, dword ptr fs:[00000030h]5_2_00C633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB2349 mov eax, dword ptr fs:[00000030h]5_2_00CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2D34C mov eax, dword ptr fs:[00000030h]5_2_00C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2D34C mov eax, dword ptr fs:[00000030h]5_2_00C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D05341 mov eax, dword ptr fs:[00000030h]5_2_00D05341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29353 mov eax, dword ptr fs:[00000030h]5_2_00C29353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C29353 mov eax, dword ptr fs:[00000030h]5_2_00C29353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB035C mov eax, dword ptr fs:[00000030h]5_2_00CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB035C mov eax, dword ptr fs:[00000030h]5_2_00CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB035C mov eax, dword ptr fs:[00000030h]5_2_00CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB035C mov ecx, dword ptr fs:[00000030h]5_2_00CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB035C mov eax, dword ptr fs:[00000030h]5_2_00CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB035C mov eax, dword ptr fs:[00000030h]5_2_00CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CFA352 mov eax, dword ptr fs:[00000030h]5_2_00CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEF367 mov eax, dword ptr fs:[00000030h]5_2_00CEF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CD437C mov eax, dword ptr fs:[00000030h]5_2_00CD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C37370 mov eax, dword ptr fs:[00000030h]5_2_00C37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C37370 mov eax, dword ptr fs:[00000030h]5_2_00C37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C37370 mov eax, dword ptr fs:[00000030h]5_2_00C37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB930B mov eax, dword ptr fs:[00000030h]5_2_00CB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB930B mov eax, dword ptr fs:[00000030h]5_2_00CB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB930B mov eax, dword ptr fs:[00000030h]5_2_00CB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6A30B mov eax, dword ptr fs:[00000030h]5_2_00C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6A30B mov eax, dword ptr fs:[00000030h]5_2_00C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6A30B mov eax, dword ptr fs:[00000030h]5_2_00C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2C310 mov ecx, dword ptr fs:[00000030h]5_2_00C2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C50310 mov ecx, dword ptr fs:[00000030h]5_2_00C50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF132D mov eax, dword ptr fs:[00000030h]5_2_00CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CF132D mov eax, dword ptr fs:[00000030h]5_2_00CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F32A mov eax, dword ptr fs:[00000030h]5_2_00C5F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C27330 mov eax, dword ptr fs:[00000030h]5_2_00C27330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D054DB mov eax, dword ptr fs:[00000030h]5_2_00D054DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C304E5 mov ecx, dword ptr fs:[00000030h]5_2_00C304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CD94E0 mov eax, dword ptr fs:[00000030h]5_2_00CD94E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B480 mov eax, dword ptr fs:[00000030h]5_2_00C2B480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C39486 mov eax, dword ptr fs:[00000030h]5_2_00C39486
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C39486 mov eax, dword ptr fs:[00000030h]5_2_00C39486
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C364AB mov eax, dword ptr fs:[00000030h]5_2_00C364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C634B0 mov eax, dword ptr fs:[00000030h]5_2_00C634B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C644B0 mov ecx, dword ptr fs:[00000030h]5_2_00C644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CBA4B0 mov eax, dword ptr fs:[00000030h]5_2_00CBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3B440 mov eax, dword ptr fs:[00000030h]5_2_00C3B440
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3B440 mov eax, dword ptr fs:[00000030h]5_2_00C3B440
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3B440 mov eax, dword ptr fs:[00000030h]5_2_00C3B440
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3B440 mov eax, dword ptr fs:[00000030h]5_2_00C3B440
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3B440 mov eax, dword ptr fs:[00000030h]5_2_00C3B440
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3B440 mov eax, dword ptr fs:[00000030h]5_2_00C3B440
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E443 mov eax, dword ptr fs:[00000030h]5_2_00C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEF453 mov eax, dword ptr fs:[00000030h]5_2_00CEF453
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2645D mov eax, dword ptr fs:[00000030h]5_2_00C2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5245A mov eax, dword ptr fs:[00000030h]5_2_00C5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31460 mov eax, dword ptr fs:[00000030h]5_2_00C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31460 mov eax, dword ptr fs:[00000030h]5_2_00C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31460 mov eax, dword ptr fs:[00000030h]5_2_00C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31460 mov eax, dword ptr fs:[00000030h]5_2_00C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C31460 mov eax, dword ptr fs:[00000030h]5_2_00C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4F460 mov eax, dword ptr fs:[00000030h]5_2_00C4F460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4F460 mov eax, dword ptr fs:[00000030h]5_2_00C4F460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4F460 mov eax, dword ptr fs:[00000030h]5_2_00C4F460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4F460 mov eax, dword ptr fs:[00000030h]5_2_00C4F460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4F460 mov eax, dword ptr fs:[00000030h]5_2_00C4F460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C4F460 mov eax, dword ptr fs:[00000030h]5_2_00C4F460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D0547F mov eax, dword ptr fs:[00000030h]5_2_00D0547F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5A470 mov eax, dword ptr fs:[00000030h]5_2_00C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5A470 mov eax, dword ptr fs:[00000030h]5_2_00C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5A470 mov eax, dword ptr fs:[00000030h]5_2_00C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C68402 mov eax, dword ptr fs:[00000030h]5_2_00C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C68402 mov eax, dword ptr fs:[00000030h]5_2_00C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C68402 mov eax, dword ptr fs:[00000030h]5_2_00C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5340D mov eax, dword ptr fs:[00000030h]5_2_00C5340D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2E420 mov eax, dword ptr fs:[00000030h]5_2_00C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2E420 mov eax, dword ptr fs:[00000030h]5_2_00C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2E420 mov eax, dword ptr fs:[00000030h]5_2_00C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2C427 mov eax, dword ptr fs:[00000030h]5_2_00C2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6A430 mov eax, dword ptr fs:[00000030h]5_2_00C6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C655C0 mov eax, dword ptr fs:[00000030h]5_2_00C655C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D035D7 mov eax, dword ptr fs:[00000030h]5_2_00D035D7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D035D7 mov eax, dword ptr fs:[00000030h]5_2_00D035D7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D035D7 mov eax, dword ptr fs:[00000030h]5_2_00D035D7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E5CF mov eax, dword ptr fs:[00000030h]5_2_00C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E5CF mov eax, dword ptr fs:[00000030h]5_2_00C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C365D0 mov eax, dword ptr fs:[00000030h]5_2_00C365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6A5D0 mov eax, dword ptr fs:[00000030h]5_2_00C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6A5D0 mov eax, dword ptr fs:[00000030h]5_2_00C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D055C9 mov eax, dword ptr fs:[00000030h]5_2_00D055C9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD5D0 mov eax, dword ptr fs:[00000030h]5_2_00CAD5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CAD5D0 mov ecx, dword ptr fs:[00000030h]5_2_00CAD5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C595DA mov eax, dword ptr fs:[00000030h]5_2_00C595DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E5E7 mov eax, dword ptr fs:[00000030h]5_2_00C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C325E0 mov eax, dword ptr fs:[00000030h]5_2_00C325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6C5ED mov eax, dword ptr fs:[00000030h]5_2_00C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6C5ED mov eax, dword ptr fs:[00000030h]5_2_00C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515F4 mov eax, dword ptr fs:[00000030h]5_2_00C515F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515F4 mov eax, dword ptr fs:[00000030h]5_2_00C515F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515F4 mov eax, dword ptr fs:[00000030h]5_2_00C515F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515F4 mov eax, dword ptr fs:[00000030h]5_2_00C515F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515F4 mov eax, dword ptr fs:[00000030h]5_2_00C515F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515F4 mov eax, dword ptr fs:[00000030h]5_2_00C515F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C32582 mov eax, dword ptr fs:[00000030h]5_2_00C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C32582 mov ecx, dword ptr fs:[00000030h]5_2_00C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2758F mov eax, dword ptr fs:[00000030h]5_2_00C2758F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2758F mov eax, dword ptr fs:[00000030h]5_2_00C2758F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2758F mov eax, dword ptr fs:[00000030h]5_2_00C2758F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C64588 mov eax, dword ptr fs:[00000030h]5_2_00C64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6E59C mov eax, dword ptr fs:[00000030h]5_2_00C6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CBB594 mov eax, dword ptr fs:[00000030h]5_2_00CBB594
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CBB594 mov eax, dword ptr fs:[00000030h]5_2_00CBB594
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB05A7 mov eax, dword ptr fs:[00000030h]5_2_00CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB05A7 mov eax, dword ptr fs:[00000030h]5_2_00CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CB05A7 mov eax, dword ptr fs:[00000030h]5_2_00CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515A9 mov eax, dword ptr fs:[00000030h]5_2_00C515A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515A9 mov eax, dword ptr fs:[00000030h]5_2_00C515A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515A9 mov eax, dword ptr fs:[00000030h]5_2_00C515A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515A9 mov eax, dword ptr fs:[00000030h]5_2_00C515A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C515A9 mov eax, dword ptr fs:[00000030h]5_2_00C515A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEF5BE mov eax, dword ptr fs:[00000030h]5_2_00CEF5BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C545B1 mov eax, dword ptr fs:[00000030h]5_2_00C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C545B1 mov eax, dword ptr fs:[00000030h]5_2_00C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5F5B0 mov eax, dword ptr fs:[00000030h]5_2_00C5F5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC35BA mov eax, dword ptr fs:[00000030h]5_2_00CC35BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC35BA mov eax, dword ptr fs:[00000030h]5_2_00CC35BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC35BA mov eax, dword ptr fs:[00000030h]5_2_00CC35BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CC35BA mov eax, dword ptr fs:[00000030h]5_2_00CC35BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C38550 mov eax, dword ptr fs:[00000030h]5_2_00C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C38550 mov eax, dword ptr fs:[00000030h]5_2_00C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C2B562 mov eax, dword ptr fs:[00000030h]5_2_00C2B562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6656A mov eax, dword ptr fs:[00000030h]5_2_00C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6656A mov eax, dword ptr fs:[00000030h]5_2_00C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6656A mov eax, dword ptr fs:[00000030h]5_2_00C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6B570 mov eax, dword ptr fs:[00000030h]5_2_00C6B570
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6B570 mov eax, dword ptr fs:[00000030h]5_2_00C6B570
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C67505 mov eax, dword ptr fs:[00000030h]5_2_00C67505
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C67505 mov ecx, dword ptr fs:[00000030h]5_2_00C67505
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D04500 mov eax, dword ptr fs:[00000030h]5_2_00D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CEB52F mov eax, dword ptr fs:[00000030h]5_2_00CEB52F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00D05537 mov eax, dword ptr fs:[00000030h]5_2_00D05537
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00CDF525 mov eax, dword ptr fs:[00000030h]5_2_00CDF525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40535 mov eax, dword ptr fs:[00000030h]5_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40535 mov eax, dword ptr fs:[00000030h]5_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40535 mov eax, dword ptr fs:[00000030h]5_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40535 mov eax, dword ptr fs:[00000030h]5_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40535 mov eax, dword ptr fs:[00000030h]5_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C40535 mov eax, dword ptr fs:[00000030h]5_2_00C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6D530 mov eax, dword ptr fs:[00000030h]5_2_00C6D530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C6D530 mov eax, dword ptr fs:[00000030h]5_2_00C6D530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3D534 mov eax, dword ptr fs:[00000030h]5_2_00C3D534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3D534 mov eax, dword ptr fs:[00000030h]5_2_00C3D534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3D534 mov eax, dword ptr fs:[00000030h]5_2_00C3D534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3D534 mov eax, dword ptr fs:[00000030h]5_2_00C3D534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3D534 mov eax, dword ptr fs:[00000030h]5_2_00C3D534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C3D534 mov eax, dword ptr fs:[00000030h]5_2_00C3D534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E53E mov eax, dword ptr fs:[00000030h]5_2_00C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E53E mov eax, dword ptr fs:[00000030h]5_2_00C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E53E mov eax, dword ptr fs:[00000030h]5_2_00C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00C5E53E mov eax, dword ptr fs:[00000030h]5_2_00C5E53E

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E8008Jump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation Slip.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Confirmation Slip.exe"Jump to behavior
          Source: Payment Confirmation Slip.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets11
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment Confirmation Slip.exe55%ReversingLabsWin32.Trojan.AutoitInject
          Payment Confirmation Slip.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1545975
          Start date and time:2024-10-31 11:02:27 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 50s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Payment Confirmation Slip.exe
          Detection:MAL
          Classification:mal88.troj.evad.winEXE@3/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 92%
          • Number of executed functions: 10
          • Number of non-executed functions: 303
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: Payment Confirmation Slip.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          06:05:32API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\eupolyzoan

          Download File
          Process:C:\Users\user\Desktop\Payment Confirmation Slip.exe
          File Type:data
          Category:dropped
          Size (bytes):288768
          Entropy (8bit):7.991923517291277
          Encrypted:true
          SSDEEP:6144:pYHk/K2PkutXwXe+/iXhTxYj+NPN7G1iI+9F++yHAtaImS:EYKqkGXKJa11VGMl9FmAtYS
          MD5:49335D7F3AC136803F677DABF1430337
          SHA1:AC334DD3E794367A8EAE5DE2F7915715E41D2462
          SHA-256:1F827A3A231D5D8935D736541E1C7DFCE810B49D76C6EAE697485C06BCBB329A
          SHA-512:168A3C6C4D4F135E764981D440DE0FC697BC612A3915965DE7330CC4AA8166E4DE7077C20F015AD90418EE3E091725F46A8D60222A96D897A8FC097421BE6C5D
          Malicious:false
          Reputation:low
          Preview:zl...6AG3h..?...}.33...jNY..30876BMQ6AG30876BMQ6AG30876BMQ.AG3>'.8B.X.`.2|..b*$".15\WJV[b.0X/(G.ZR.08?.().twd./"5SoJ>:.76BMQ6A>29..V%.lV&..P_.,...! .*...~-6.[...WQ..8U)zSW.76BMQ6AGcu87zCLQ...e0876BMQ6.G1136=BM.2AG30876BMa"AG3 8762IQ6A.30(76BOQ6GG30876BKQ6AG3087FFMQ4AG30874B..6AW30(76BMA6AW30876B]Q6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876Bc%S93308.bFMQ&AG3f<76RMQ6AG30876BMQ6aG3P876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30876BMQ6AG30

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.511063883495709
          TrID:
          • Win32 Executable (generic) a (10002005/4) 95.11%
          • AutoIt3 compiled script executable (510682/80) 4.86%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Payment Confirmation Slip.exe
          File size:1'325'849 bytes
          MD5:8a50c784517f5b8d4b6a6fdb5a76f6a6
          SHA1:e4c903fc2a82f5d83ca3a92adc70b9be988f8913
          SHA256:2dd8b8b30d3de0df7b78c07018e7c80d95f750ba56d65f8c38bce76e5b232a00
          SHA512:ad74128ff89027c3ea6d6b743072640827e44f1c3cc3551011d6512aa3230fe00f5599806f806853eaad28953c0714183c8d0982f2ab9c5fb68b5444b15314c0
          SSDEEP:24576:ffmMv6Ckr7Mny5QLT7lYM8C5NBZ0GuB+P6ZXbsw5fkx:f3v+7/5QLT7jNv0HBps
          TLSH:BE55F112B3D680B6DDA33971297BE327DB3475194327C48BA7E02E778F211509B3A762
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

          File Icon

          Icon Hash:1733312925935517

          Static PE Info

          General

          Entrypoint:0x416310
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:aaaa8913c89c8aa4a5d93f06853894da

          Entrypoint Preview

          Instruction
          call 00007FC370D5AACCh
          jmp 00007FC370D4E89Eh
          int3
          int3
          int3
          int3
          int3
          int3
          push ebp
          mov ebp, esp
          push edi
          push esi
          mov esi, dword ptr [ebp+0Ch]
          mov ecx, dword ptr [ebp+10h]
          mov edi, dword ptr [ebp+08h]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007FC370D4EA2Ah
          cmp edi, eax
          jc 00007FC370D4EBCAh
          cmp ecx, 00000100h
          jc 00007FC370D4EA41h
          cmp dword ptr [004A94E0h], 00000000h
          je 00007FC370D4EA38h
          push edi
          push esi
          and edi, 0Fh
          and esi, 0Fh
          cmp edi, esi
          pop esi
          pop edi
          jne 00007FC370D4EA2Ah
          pop esi
          pop edi
          pop ebp
          jmp 00007FC370D4EE8Ah
          test edi, 00000003h
          jne 00007FC370D4EA37h
          shr ecx, 02h
          and edx, 03h
          cmp ecx, 08h
          jc 00007FC370D4EA4Ch
          rep movsd
          jmp dword ptr [00416494h+edx*4]
          nop
          mov eax, edi
          mov edx, 00000003h
          sub ecx, 04h
          jc 00007FC370D4EA2Eh
          and eax, 03h
          add ecx, eax
          jmp dword ptr [004163A8h+eax*4]
          jmp dword ptr [004164A4h+ecx*4]
          nop
          jmp dword ptr [00416428h+ecx*4]
          nop
          mov eax, E4004163h
          arpl word ptr [ecx+00h], ax
          or byte ptr [ecx+eax*2+00h], ah
          and edx, ecx
          mov al, byte ptr [esi]
          mov byte ptr [edi], al
          mov al, byte ptr [esi+01h]
          mov byte ptr [edi+01h], al
          mov al, byte ptr [esi+02h]
          shr ecx, 02h
          mov byte ptr [edi+02h], al
          add esi, 03h
          add edi, 03h
          cmp ecx, 08h
          jc 00007FC370D4E9EEh

          Rich Headers

          Programming Language:
          • [ASM] VS2008 SP1 build 30729
          • [ C ] VS2008 SP1 build 30729
          • [C++] VS2008 SP1 build 30729
          • [ C ] VS2005 build 50727
          • [IMP] VS2005 build 50727
          • [ASM] VS2008 build 21022
          • [RES] VS2008 build 21022
          • [LNK] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
          RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
          RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
          RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
          RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
          RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
          RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
          RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
          RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
          RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
          RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
          RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
          RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
          RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
          RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
          RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
          RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
          RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
          RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
          RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

          Imports

          DLLImport
          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
          GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
          OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain
          EnglishUnited States

          Network Behavior

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 31, 2024 11:04:24.995198965 CET5354217162.159.36.2192.168.2.4
          Oct 31, 2024 11:04:26.168246031 CET53641451.1.1.1192.168.2.4

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:06:03:40
          Start date:31/10/2024
          Path:C:\Users\user\Desktop\Payment Confirmation Slip.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Payment Confirmation Slip.exe"
          Imagebase:0x400000
          File size:1'325'849 bytes
          MD5 hash:8A50C784517F5B8D4B6A6FDB5A76F6A6
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:5
          Start time:06:04:44
          Start date:31/10/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Payment Confirmation Slip.exe"
          Imagebase:0xf50000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3033498975.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.8%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:11%
            Total number of Nodes:91
            Total number of Limit Nodes:7
            execution_graph 76757 62e963 76760 62caf3 76757->76760 76759 62e97e 76761 62cb0d 76760->76761 76762 62cb1e RtlAllocateHeap 76761->76762 76762->76759 76763 624b63 76764 624b7f 76763->76764 76765 624ba7 76764->76765 76766 624bbb 76764->76766 76767 62c7b3 NtClose 76765->76767 76773 62c7b3 76766->76773 76769 624bb0 76767->76769 76770 624bc4 76776 62e9a3 RtlAllocateHeap 76770->76776 76772 624bcf 76774 62c7d0 76773->76774 76775 62c7e1 NtClose 76774->76775 76775->76770 76776->76772 76777 62faa3 76780 62e883 76777->76780 76783 62cb43 76780->76783 76782 62e89c 76784 62cb5d 76783->76784 76785 62cb6e RtlFreeHeap 76784->76785 76785->76782 76786 62bd83 76787 62bd9d 76786->76787 76790 c72df0 LdrInitializeThunk 76787->76790 76788 62bdc5 76790->76788 76859 624ef3 76864 624f0c 76859->76864 76860 624f9c 76861 624f57 76862 62e883 RtlFreeHeap 76861->76862 76863 624f67 76862->76863 76864->76860 76864->76861 76865 624f97 76864->76865 76866 62e883 RtlFreeHeap 76865->76866 76866->76860 76791 617983 76792 6179a7 76791->76792 76793 6179e3 LdrLoadDll 76792->76793 76794 6179ae 76792->76794 76793->76794 76867 613e53 76871 613e73 76867->76871 76869 613edc 76870 613ed2 76871->76869 76872 61b5a3 RtlFreeHeap LdrInitializeThunk 76871->76872 76872->76870 76795 c72b60 LdrInitializeThunk 76796 601ba9 76797 601bb0 76796->76797 76800 62ff13 76797->76800 76803 62e453 76800->76803 76804 62e476 76803->76804 76813 607583 76804->76813 76806 62e48c 76812 601bc8 76806->76812 76816 61b293 76806->76816 76808 62e4ab 76809 62cb93 ExitProcess 76808->76809 76810 62e4c0 76808->76810 76809->76810 76827 62cb93 76810->76827 76815 607590 76813->76815 76830 616643 76813->76830 76815->76806 76817 61b2bf 76816->76817 76848 61b183 76817->76848 76820 61b304 76823 61b320 76820->76823 76825 62c7b3 NtClose 76820->76825 76821 61b2ec 76822 61b2f7 76821->76822 76824 62c7b3 NtClose 76821->76824 76822->76808 76823->76808 76824->76822 76826 61b316 76825->76826 76826->76808 76828 62cbb0 76827->76828 76829 62cbc1 ExitProcess 76828->76829 76829->76812 76831 616660 76830->76831 76833 616679 76831->76833 76834 62d243 76831->76834 76833->76815 76836 62d25d 76834->76836 76835 62d28c 76835->76833 76836->76835 76841 62bdd3 76836->76841 76839 62e883 RtlFreeHeap 76840 62d302 76839->76840 76840->76833 76842 62bdf0 76841->76842 76845 c72c0a 76842->76845 76843 62be1c 76843->76839 76846 c72c11 76845->76846 76847 c72c1f LdrInitializeThunk 76845->76847 76846->76843 76847->76843 76850 61b184 76848->76850 76849 61b279 76849->76820 76849->76821 76850->76849 76854 62be73 76850->76854 76853 62c7b3 NtClose 76853->76849 76855 62be8d 76854->76855 76858 c735c0 LdrInitializeThunk 76855->76858 76856 61b26d 76856->76853 76858->76856

            Executed Functions

            Function 0062D313 Relevance: 3.1, Strings: 2, Instructions: 628COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 9 62d313-62d316 10 62d317-62d320 9->10 11 62d322 10->11 12 62d36e-62d370 10->12 13 62d3d0-62d3d6 12->13 14 62d456-62d458 13->14 15 62d3d8-62d3de 13->15 16 62d4c5-62d4cf 14->16 17 62d45a-62d47c 14->17 18 62d3e0-62d3ea 15->18 19 62d37e-62d38b 15->19 24 62d4d1 16->24 22 62d4d2 17->22 23 62d47e-62d486 17->23 25 62d451 18->25 26 62d3ec-62d3f2 18->26 20 62d33d-62d340 19->20 21 62d38d-62d39f 19->21 31 62d341-62d342 20->31 32 62d2fa-62d2fc 20->32 28 62d3a0-62d3a5 21->28 22->24 33 62d4d4-62d9a3 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 call 604943 call 6292b3 22->33 29 62d488-62d48e 23->29 30 62d49d-62d4a5 23->30 24->22 25->14 27 62d420-62d442 25->27 34 62d3b2-62d3b7 26->34 35 62d3f4-62d404 26->35 36 62d3a7 28->36 37 62d338-62d33c 28->37 38 62d3b9-62d3bc 30->38 39 62d344-62d352 31->39 40 62d325-62d32d 31->40 42 62d302-62d310 32->42 43 62d2fd call 62e883 32->43 34->38 44 62d405-62d41f 35->44 36->34 37->20 45 62d3be-62d3c5 38->45 46 62d35d-62d369 38->46 47 62d311-62d312 39->47 48 62d354-62d35b 39->48 40->28 56 62d32f 40->56 43->42 44->27 44->44 51 62d3c7-62d3cb 45->51 52 62d3cf 45->52 53 62d35c 46->53 55 62d36b-62d36d 46->55 47->9 48->53 51->52 52->13 53->46 55->10 58 62d331-62d337 56->58 59 62d2e5 56->59 58->37 59->32
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: Y=?$T~A
            • API String ID: 0-1604697576
            • Opcode ID: 0d471d23df8e42ff88da72970fa3cdeba940d1faf585fb809c67c50bbfd2aa46
            • Instruction ID: 1f5c69cbed3b97cf7a60f950d47622cb08f0491bf51b4cac36e6d9764ace3059
            • Opcode Fuzzy Hash: 0d471d23df8e42ff88da72970fa3cdeba940d1faf585fb809c67c50bbfd2aa46
            • Instruction Fuzzy Hash: 59F138E2D925107AE260B2A4DD43EFF3B7EDFA2750F44005DFE1856183FA2127158AB6
            Function 00617983 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 210 617983-61799f 211 6179a7-6179ac 210->211 212 6179a2 call 62f583 210->212 213 6179b2-6179c0 call 62fb83 211->213 214 6179ae-6179b1 211->214 212->211 217 6179d0-6179e1 call 62df23 213->217 218 6179c2-6179cd call 62fe23 213->218 223 6179e3-6179f7 LdrLoadDll 217->223 224 6179fa-6179fd 217->224 218->217 223->224
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 006179F5
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 7f2d1ce241f0a02997eb0c98dbb73e50a322d54630c046a84bccd847ba569d3b
            • Instruction ID: ee05add89b283000ea78846ca6ed7b502a3c6f49a4d98df0919c5495b9465910
            • Opcode Fuzzy Hash: 7f2d1ce241f0a02997eb0c98dbb73e50a322d54630c046a84bccd847ba569d3b
            • Instruction Fuzzy Hash: 630121B5D4020DBBDF10DBE4DC42FDDB7B99B54308F0485A9E90897241F631EB588B95
            Function 0062C7B3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 235 62c7b3-62c7ef call 604943 call 62da33 NtClose
            APIs
            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0062C7EA
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 9b5e015fd23c0fd5589d26cbe45240a94c1b147439beb5b06f0469a46119cd6e
            • Instruction ID: 8bb23ee5b0704058e544fdbe72cc407cae51e1739a957705f4bf6b2c7f5be95c
            • Opcode Fuzzy Hash: 9b5e015fd23c0fd5589d26cbe45240a94c1b147439beb5b06f0469a46119cd6e
            • Instruction Fuzzy Hash: 80E08C76204614BBD260EB69DC01FDB776DDFC5760F008519FB58A7242CAB0BA1287F4
            Function 00C735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 251 c735c0-c735cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 685a8563e9e437131616566a2c074ac084fd02eea1bd4782ffaa669a17e819db
            • Instruction ID: 6e3419f27efddf0ebd2c3c42c64cf6565c57a28304e59b88bdc32e9fa758f4a0
            • Opcode Fuzzy Hash: 685a8563e9e437131616566a2c074ac084fd02eea1bd4782ffaa669a17e819db
            • Instruction Fuzzy Hash: C790027160550402D60471584554746100687D0705FA6C422A04245ACD8B958A5576A6
            Function 00C72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 249 c72b60-c72b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: cabf894dda6be6b04a9dafa6c5ba062b59fb75c435ad84d1b56789f20505caca
            • Instruction ID: 3ee783056cc5c6681325cfddec06ad99db5a2f611764aedbac8a13f5cd6403d9
            • Opcode Fuzzy Hash: cabf894dda6be6b04a9dafa6c5ba062b59fb75c435ad84d1b56789f20505caca
            • Instruction Fuzzy Hash: D29002A120240003460971584454656400B87E0705B96C032E10145D4DC92589957229
            Function 00C72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 250 c72df0-c72dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: d4db9a28c0d2d053b695cab215f502ca29fd6a523f2559bfbb53cbe8ea2e89cd
            • Instruction ID: 07da6b4f1a271f0c83900206fdd72d76417e3126a87ff8524b729d40d6e8afd4
            • Opcode Fuzzy Hash: d4db9a28c0d2d053b695cab215f502ca29fd6a523f2559bfbb53cbe8ea2e89cd
            • Instruction Fuzzy Hash: 0290027120140413D61571584544747000A87D0745FD6C423A042459CD9A568A56B225
            Function 0062CAF3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 225 62caf3-62cb34 call 604943 call 62da33 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0061E72E,?,?,00000000,?,0061E72E,?,?,?), ref: 0062CB2F
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 3f9c039c9ce065c4eed385af82862bc480e76871347cd2e3963b0ecfaaf83ab2
            • Instruction ID: a28e7717550a27015951625408bb89ef038bea221d8716442e3b1bf25cfaa829
            • Opcode Fuzzy Hash: 3f9c039c9ce065c4eed385af82862bc480e76871347cd2e3963b0ecfaaf83ab2
            • Instruction Fuzzy Hash: 91E092752042047BC614EE58EC46FDB33ADEFC8710F004019F918A7242D670BD108BB8
            Function 0062CB43 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 230 62cb43-62cb84 call 604943 call 62da33 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,C6C1FC55,00000007,00000000,00000004,00000000,00617209,000000F4), ref: 0062CB7F
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 61ef5db065539f3b2050b861a7aa6611bfe91142334a6f522934a6d7990a8f34
            • Instruction ID: c3059aab709ca4a535c6cd50f42674bcadc651f67ff215f6560740e703237650
            • Opcode Fuzzy Hash: 61ef5db065539f3b2050b861a7aa6611bfe91142334a6f522934a6d7990a8f34
            • Instruction Fuzzy Hash: BEE092B52042087BC654EE58EC45FDB33ADDFC9710F004019F918A7242D770BD108BB4
            Function 0062CB93 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 240 62cb93-62cbcf call 604943 call 62da33 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 07026e5a012e26d4c828d2ef75155419ad8f8503e35dd9f916f6192a5f308bfa
            • Instruction ID: 2f145908a5d008d292e4bdaafcac4c1f0263233474a59304acc29ad3fc16e892
            • Opcode Fuzzy Hash: 07026e5a012e26d4c828d2ef75155419ad8f8503e35dd9f916f6192a5f308bfa
            • Instruction Fuzzy Hash: 50E086322446147BD260EB69EC41FDB77AEDFC5760F004459FA18A7141D671791187F4
            Function 00C72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 245 c72c0a-c72c0f 246 c72c11-c72c18 245->246 247 c72c1f-c72c26 LdrInitializeThunk 245->247
            APIs
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 15331393eb4641f4f429f77a537f634cd4ddf34785cde5e24168b8e54e1fedb1
            • Instruction ID: b57f8332719751808975c2c1456d172dfe2e20ee21c40f2f05eb5bf6e76f82f3
            • Opcode Fuzzy Hash: 15331393eb4641f4f429f77a537f634cd4ddf34785cde5e24168b8e54e1fedb1
            • Instruction Fuzzy Hash: 6FB09BB19015C5C5EF15F760460871B790567E0745F56C072D3170685E4738C5D5F275

            Non-executed Functions

            Function 00CB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: 847c2e73bff8933a4e4f40de16c62efb1451c4ff39ecc245567dbc8311dd9227
            • Instruction ID: ce6c7971341db1194ca490d711d83deb8e5d99d1f6ea000b393a9ee4f065a877
            • Opcode Fuzzy Hash: 847c2e73bff8933a4e4f40de16c62efb1451c4ff39ecc245567dbc8311dd9227
            • Instruction Fuzzy Hash: 2E92AD71608381AFD720DF24C885BABB7E8BB84750F14492DFAA4D7291D770EE44DB92
            Function 00C268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: bd0d772f1e3cd30b597443e96e051d61cd223ed27498deb6bea8042497036e3e
            • Instruction ID: 739196495b256cb54f00e101542db8d5096e7813e2cd4827330f78fdd07e93ab
            • Opcode Fuzzy Hash: bd0d772f1e3cd30b597443e96e051d61cd223ed27498deb6bea8042497036e3e
            • Instruction Fuzzy Hash: 8981E2B2D01619BF8B21EBE4EDD5EEEB7BDAB14710B144521B900F7251E630ED059BB0
            Function 00C60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: 69a33150197570de2a686cc919c1bc567f178d444c0b9ca368227b109475164c
            • Instruction ID: fb9043f37cfa487354fb6231373050c686670566597872c28c9e205218eca909
            • Opcode Fuzzy Hash: 69a33150197570de2a686cc919c1bc567f178d444c0b9ca368227b109475164c
            • Instruction Fuzzy Hash: 766293B5E002268FDB34CF19C8417A9B7B6EF96314F5982DAD859AB280D7325ED1CF40
            Function 00CE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: cba055466336859397bcdc4c91dddcae287a7ce08268be048ed5465d187b887c
            • Instruction ID: ac53e16c3758b72dc4c529aec863be657bd37974d4a11ca374696a7853e2b3d7
            • Opcode Fuzzy Hash: cba055466336859397bcdc4c91dddcae287a7ce08268be048ed5465d187b887c
            • Instruction Fuzzy Hash: 0312E070600682DFD725DF2AC441BBABBF1FF09714F188459E8968BA92D734ED90DB50
            Function 00C4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: f7e4245510f8b7cee9432bd288ab232735c2c0eb60b797112df084ba30c7d8f2
            • Instruction ID: 74f56eafcd3278c01f1bc467a7348e17fe79e17a0a79ae74e2bd6aa1add178ef
            • Opcode Fuzzy Hash: f7e4245510f8b7cee9432bd288ab232735c2c0eb60b797112df084ba30c7d8f2
            • Instruction Fuzzy Hash: 8812F071A083418FD724DF68C845BAAB7E0FF95704F04092DF8958B291EB34DE49DBA2
            Function 00C2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: 23a6f0382c49473ab0c49e9429a2b491154f9aa9dec3bd63cf5eb7869b598c98
            • Instruction ID: 5b7171546a75df597b9c352c2e73f620e33791aad36c3115a956366a2d881ee1
            • Opcode Fuzzy Hash: 23a6f0382c49473ab0c49e9429a2b491154f9aa9dec3bd63cf5eb7869b598c98
            • Instruction Fuzzy Hash: ABB19CB25083619FD721DF24D480B6BB7E8AF98754F01492EF89AD7240D770DE48DB92
            Function 00CE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: f494c55702b8f1d6e578951b1125c2e823353ad884edbf2c66a8546379a7a08f
            • Instruction ID: 45528556383537cc6fc37cdca49cae43fa7fc2bb112260b0270a2ee0c776f854
            • Opcode Fuzzy Hash: f494c55702b8f1d6e578951b1125c2e823353ad884edbf2c66a8546379a7a08f
            • Instruction Fuzzy Hash: 51F13531A006D5EFCB25DF6AC441BAAB7F5FF09300F188469E89197682C774AEC5DB90
            Function 00CC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
            • API String ID: 0-3063724069
            • Opcode ID: 80b4094aa615eb31632d93434576fc6b3c1411a260e7584d95d124648cf8bee9
            • Instruction ID: 993343cce942a342187e70a38d64cefe393b86e0c2028e5400704a32cdf71233
            • Opcode Fuzzy Hash: 80b4094aa615eb31632d93434576fc6b3c1411a260e7584d95d124648cf8bee9
            • Instruction Fuzzy Hash: 56D114B2808351AFD721DB64C849F6FB7E8EF84714F044A2DFA94A7191D770CE449B92
            Function 00CE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: 274b46a0833b77cc4d9727ece6a319dc608d8d2d4dd398f6cf8c8b20d36200e3
            • Instruction ID: 48cb86be7bf6a72596615dbeadb1658b232861d8c75a4cb9d7a3858fb33f032e
            • Opcode Fuzzy Hash: 274b46a0833b77cc4d9727ece6a319dc608d8d2d4dd398f6cf8c8b20d36200e3
            • Instruction Fuzzy Hash: F0D1F1315006C1DFCB22DF6AD441AADBBF1FF45700F288059E8559B6A2C7B49E81DFA4
            Function 00C2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 00C2D146
            • @, xrefs: 00C2D0FD
            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00C2D0CF
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 00C2D2C3
            • Control Panel\Desktop\LanguageConfiguration, xrefs: 00C2D196
            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 00C2D262
            • @, xrefs: 00C2D2AF
            • @, xrefs: 00C2D313
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
            • API String ID: 0-1356375266
            • Opcode ID: 64ac39ece96938920ec7f58fa5038a90ddb9567bcedaeed719a98288f430bbcb
            • Instruction ID: f88fc9c56ae575bd48ed3e7a209e6c8cde90e35a3054af93a7e4ab43460faff9
            • Opcode Fuzzy Hash: 64ac39ece96938920ec7f58fa5038a90ddb9567bcedaeed719a98288f430bbcb
            • Instruction Fuzzy Hash: F5A1CB71908355DFE320DF21D484B6FB7E8BB94729F00892EF59996280E774DA08DB93
            Function 00C49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
            Download Yara Rule
            Strings
            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 00C97709
            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 00C976EE
            • minkernel\ntdll\sxsisol.cpp, xrefs: 00C97713, 00C978A4
            • Status != STATUS_NOT_FOUND, xrefs: 00C9789A
            • sxsisol_SearchActCtxForDllName, xrefs: 00C976DD
            • Internal error check failed, xrefs: 00C97718, 00C978A9
            • @, xrefs: 00C49EE7
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
            • API String ID: 0-761764676
            • Opcode ID: 053f902ce8be896cdd12223284901face4c9c9862aa232266d6e00cd2f3f6dc1
            • Instruction ID: 8b21022e468faece7cb7336f5e04381d728cdd6d60a5c66194dd39a2aa12ed78
            • Opcode Fuzzy Hash: 053f902ce8be896cdd12223284901face4c9c9862aa232266d6e00cd2f3f6dc1
            • Instruction Fuzzy Hash: BD129B70A10229CBDF24CFA8C885AFEB7B4FF58310F14816AE859EB241E7349D45DB65
            Function 00C3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: c700d13c970450d88239d24d28594ab501c1113649e3f9dda1b8c71f7206164f
            • Instruction ID: 91fb99b6bfc71c6a6292e69d397f1e126b9230ef9fc2dddd4f74afff4b9f2015
            • Opcode Fuzzy Hash: c700d13c970450d88239d24d28594ab501c1113649e3f9dda1b8c71f7206164f
            • Instruction Fuzzy Hash: 8FA22874E15629CBDF68DF19C888BADB7B5AF45304F2442E9D81DA7290DB349E82CF00
            Function 00C2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: 25101b710cb67b8ebcad9aa5d658200dc069704ac04e3b6018f0433f0eed7dcb
            • Instruction ID: d55723656bdcf63079de9f545c7dbaf1e81490f7d72ac8d614ba612089556a27
            • Opcode Fuzzy Hash: 25101b710cb67b8ebcad9aa5d658200dc069704ac04e3b6018f0433f0eed7dcb
            • Instruction Fuzzy Hash: CE42DC312083959FC715EF29E884A2ABBE5BF84308F14497DF4968B692D730DD82DB52
            Function 00C3ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
            • API String ID: 0-4098886588
            • Opcode ID: dc224cee5bb168339805c047aa548d21732cddc837e068006b735fce973cd07b
            • Instruction ID: 5725fa6f3310dcc0db30cf9d889e18e1bbcfd499e41b758091b86cb8fad19b0e
            • Opcode Fuzzy Hash: dc224cee5bb168339805c047aa548d21732cddc837e068006b735fce973cd07b
            • Instruction Fuzzy Hash: E532BC71A102A98BDF26CF15CC98BEEB7B5AF44340F2041EAE959A7251DB319F819F40
            Function 00C4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: 3fb1c1d120f1995aff1c2140d2500cb66dd0fd47671af58c7f3189b457fe67da
            • Instruction ID: 7af0b750e62ccafa90a509bc2ae91a0b04d4166a1f5bdbc24f7df392cccf6472
            • Opcode Fuzzy Hash: 3fb1c1d120f1995aff1c2140d2500cb66dd0fd47671af58c7f3189b457fe67da
            • Instruction Fuzzy Hash: 74C18B31A00215ABCF248F65C895BBEB7A5BF46300F144069ED12EB2E2DFB4DE45D3A0
            Function 00C663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: 2b6f39ea2b0496e0536988d7824549088e4a1db546279cb2c420aeade89b88c8
            • Instruction ID: 94817525fb176215785b5d1ddf3bc8f5eb42c6b7c41cc29e66cd569af720521f
            • Opcode Fuzzy Hash: 2b6f39ea2b0496e0536988d7824549088e4a1db546279cb2c420aeade89b88c8
            • Instruction Fuzzy Hash: 11911770A007169BDB38DF54EC86BBE77A0EB92728F140128F511A77D1DBB49D42E7A0
            Function 00CDF525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
            • API String ID: 0-1745908468
            • Opcode ID: d165858712f5294bf5aaf41065a554bc22ae33f9cd425cd42a13d47a1161727c
            • Instruction ID: 4c199ca9f9265ef15c24628e833d4a195c8d10bc29b569bdb6f4fb11e23c4293
            • Opcode Fuzzy Hash: d165858712f5294bf5aaf41065a554bc22ae33f9cd425cd42a13d47a1161727c
            • Instruction Fuzzy Hash: BA910231900640DFCB12DF68D841AADBBF1FF49704F14806EE956AB7A2C7359E82EB54
            Function 00C2645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
            Download Yara Rule
            Strings
            • apphelp.dll, xrefs: 00C26496
            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00C899ED
            • LdrpInitShimEngine, xrefs: 00C899F4, 00C89A07, 00C89A30
            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00C89A2A
            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 00C89A01
            • minkernel\ntdll\ldrinit.c, xrefs: 00C89A11, 00C89A3A
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-204845295
            • Opcode ID: 5857d96065263fbe6937372049fee5343876b7b01b9a7faaa69283628502d79b
            • Instruction ID: aa302b55e677ae96939dbeb04411e80e61e7c2d2615a33d32d2b2772b0274eba
            • Opcode Fuzzy Hash: 5857d96065263fbe6937372049fee5343876b7b01b9a7faaa69283628502d79b
            • Instruction Fuzzy Hash: F751C0712083149FD324EF24D882BAB77E4FF84748F140929F596972A1D730EE44EBA6
            Function 00C5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00CA02BD
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00CA02E7
            • RTL: Re-Waiting, xrefs: 00CA031E
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 6671c8715c1a606b061ac553775564d21d0695d8894f217c3f1211bed8405f78
            • Instruction ID: b9b0b77e363eba775d0d59ef692b12a4b4e4186c2d5292c68d79c73441071fb7
            • Opcode Fuzzy Hash: 6671c8715c1a606b061ac553775564d21d0695d8894f217c3f1211bed8405f78
            • Instruction Fuzzy Hash: D2E1F3346047419FD728CF28C885B1AB7E0BF49358F240A2DF9A5872E1D774D98ACB46
            Function 00CB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
            • API String ID: 0-3127649145
            • Opcode ID: 8566e8eb5eb173cffe62f110dbd014612ca0ae50ab300539569a200459b5d945
            • Instruction ID: d34520705f33040a9e771bb622200da7287a2ae5717eeddd4c63d47645e065e2
            • Opcode Fuzzy Hash: 8566e8eb5eb173cffe62f110dbd014612ca0ae50ab300539569a200459b5d945
            • Instruction Fuzzy Hash: 6B324770A017299BDB61DF65CC89BDAB7F8FF48300F1041AAE549A7251DB70AE84CF51
            Function 00C49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: dc1eb49327f9832171661a9178730799e47b594750da6a047ae4cb83411a8fa9
            • Instruction ID: 3a51d500e4120c312e60cf897e88adceec246c0e9ced36ec36129452ce71849f
            • Opcode Fuzzy Hash: dc1eb49327f9832171661a9178730799e47b594750da6a047ae4cb83411a8fa9
            • Instruction Fuzzy Hash: 65026971909361CFCB20CF65C084BABBBE4FF89714F55891EE99987250E770D944CB92
            Function 00C551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
            Download Yara Rule
            Strings
            • Kernel-MUI-Language-SKU, xrefs: 00C5542B
            • Kernel-MUI-Language-Allowed, xrefs: 00C5527B
            • WindowsExcludedProcs, xrefs: 00C5522A
            • Kernel-MUI-Number-Allowed, xrefs: 00C55247
            • Kernel-MUI-Language-Disallowed, xrefs: 00C55352
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 676bc778fd40edda89749f67e0e76f56381ba4bbda80fc73690f955f44663a11
            • Instruction ID: 80deb5d2fa81a0729c0f93c17d53bcd51ff6970a2cb9700037d1fb868ee7efe8
            • Opcode Fuzzy Hash: 676bc778fd40edda89749f67e0e76f56381ba4bbda80fc73690f955f44663a11
            • Instruction Fuzzy Hash: B5F18C76D10618EFCF11DFA8C980AEEBBB8FF48750F50406AE905A7251E7709E44DBA0
            Function 00CB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: 6465e5b80ca411fcbde34b0f4608930c5451eba19dc68fa0cf1d3962561d6d2e
            • Instruction ID: 4dfa6d2b8c5a0c860914f7ceadddae7042abff6dbbab64caa803c27e5bff9332
            • Opcode Fuzzy Hash: 6465e5b80ca411fcbde34b0f4608930c5451eba19dc68fa0cf1d3962561d6d2e
            • Instruction Fuzzy Hash: 0091AC72900A199BCB25DFA8C881AFEB7B1FF48310F594169E825E7391D735DE01DB90
            Function 00C470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: aeab515afea12ec0274cb958c37e1ed8cc27d511e4d03ad1656f3684f6505a7b
            • Instruction ID: 57b3c211abb3f191a6396e89600b568fb051141baaa03dce7b9db811b1c968d7
            • Opcode Fuzzy Hash: aeab515afea12ec0274cb958c37e1ed8cc27d511e4d03ad1656f3684f6505a7b
            • Instruction Fuzzy Hash: 1D139D70A04655CFDB25CF69C4907ADBBB1FF48304F2482A9E859AB381DB34AD46DF90
            Function 00C41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
            • API String ID: 0-3570731704
            • Opcode ID: a100f8131dc3dbbee2b1165fb7dd06f0f4f9d5d27161207b3c08093dd419fd4c
            • Instruction ID: a56773c99a41b23d49007e90754b6792671bd0a183f349e1646056316d600c66
            • Opcode Fuzzy Hash: a100f8131dc3dbbee2b1165fb7dd06f0f4f9d5d27161207b3c08093dd419fd4c
            • Instruction Fuzzy Hash: 60926671A01668CFEB25CF29C844BA9B7B1BF44314F1981EAE999A7391D7309EC0CF51
            Function 00C4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 00C97D56
            • SsHd, xrefs: 00C4A885
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 00C97D03
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 00C97D39
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: 3fe31047117655f1197fb6b5dc6d99a914f31f0596cf14d8da212674b88c165b
            • Instruction ID: 477ce315c289b932f243b46da231a9853e1ac174821f123f697aec304e578763
            • Opcode Fuzzy Hash: 3fe31047117655f1197fb6b5dc6d99a914f31f0596cf14d8da212674b88c165b
            • Instruction Fuzzy Hash: 7DD18E36A402199FDF24CF98C8C06ADB7B5FF58310F19416AE855AB351D331DE81DBA2
            Function 00C43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 3bce3c756fb55b94858272ec659a2ede49bb86704c453e212a759dfbe8db807b
            • Instruction ID: 2a79cd530f3c7dbec94094a405d0125f23e10035e1c4e9e11bce8035c1f0d272
            • Opcode Fuzzy Hash: 3bce3c756fb55b94858272ec659a2ede49bb86704c453e212a759dfbe8db807b
            • Instruction Fuzzy Hash: D5E2B170A00655CFDB28CF69C490BA9BBF1FF49304F2481A9E855AB386D735AD46CF90
            Function 00C3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: 8279e019528e0edbfc06a22476dd13e40ed63236079f26f81123c9b754532c25
            • Instruction ID: 78fe5118ed9f2bf611e6c04dbd7605723f704dfc797f87adbb9cb8924d5cde3f
            • Opcode Fuzzy Hash: 8279e019528e0edbfc06a22476dd13e40ed63236079f26f81123c9b754532c25
            • Instruction Fuzzy Hash: 80C1AA75128782DFDB11CF19C044B6AB7E4BF88704F04886AF8D68B251E774CA59DB93
            Function 00C68402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
            Download Yara Rule
            Strings
            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00C6855E
            • LdrpInitializeProcess, xrefs: 00C68422
            • minkernel\ntdll\ldrinit.c, xrefs: 00C68421
            • @, xrefs: 00C68591
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1918872054
            • Opcode ID: 85ec71ed06720a8bba8a0b242791b188a509d2e78a54c6f28f250f04b8c76670
            • Instruction ID: 32df96497389031cd78efd3a4fef494a3e6cd85b26132402dbac36383c017119
            • Opcode Fuzzy Hash: 85ec71ed06720a8bba8a0b242791b188a509d2e78a54c6f28f250f04b8c76670
            • Instruction Fuzzy Hash: AD91AC71508345AFE721DF21CC85F6BB7E8FB84744F404A2EFA8592151EB34DA48DB62
            Function 00C40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 00C954E0, 00C955A1
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 00C954ED
            • HEAP[%wZ]: , xrefs: 00C954D1, 00C95592
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 00C955AE
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 1d73abf73ceea08e8a30e6980b26967e353a3ee62a7726f600d62b52d580850c
            • Instruction ID: 1ac7f6f6d72fbb2aa478009f73558d73e777af90cc455c72df687302f3e35bf9
            • Opcode Fuzzy Hash: 1d73abf73ceea08e8a30e6980b26967e353a3ee62a7726f600d62b52d580850c
            • Instruction Fuzzy Hash: 64A11130A44605DFDB24DF68C480BBABBF1BF54300F248529E6968B782D730ED48DB91
            Function 00C364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
            Download Yara Rule
            Strings
            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00C910AE
            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00C91028
            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00C9106B
            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00C90FE5
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
            • API String ID: 0-1468400865
            • Opcode ID: 1a39491e06d6e73fd4fe7e988de48bc8c2c5f9d51de137d945c90eec765c0abb
            • Instruction ID: 537619b12ecd197fec6af34fb6a6d3be3bde11a7181612ce0d25b6f1e2846eee
            • Opcode Fuzzy Hash: 1a39491e06d6e73fd4fe7e988de48bc8c2c5f9d51de137d945c90eec765c0abb
            • Instruction Fuzzy Hash: F171D1B1904304AFCB20DF14C885F9B7BA8EF54764F508478F9498B286D734D689DBE2
            Function 00CE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
            • API String ID: 0-336120773
            • Opcode ID: 2d1dac9b3fe7bfc68e9610b0ea865f7e1c0913d637ae9323cec3c14c72488165
            • Instruction ID: 107754eede362a1e9744536032109a0abcc110e5d9d4997a862b9ffab2e4d4d8
            • Opcode Fuzzy Hash: 2d1dac9b3fe7bfc68e9610b0ea865f7e1c0913d637ae9323cec3c14c72488165
            • Instruction Fuzzy Hash: 0B3102712006A0EFD711EB9ADC86F6AB3E8EF08720F180055FA11CB291D770ED90EA65
            Function 00C5245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00C9A992
            • apphelp.dll, xrefs: 00C52462
            • LdrpDynamicShimModule, xrefs: 00C9A998
            • minkernel\ntdll\ldrinit.c, xrefs: 00C9A9A2
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-176724104
            • Opcode ID: 96ee2b85ca684afc49fe64cd23802ffb7924bb157a050794a9129f6545a4e4bb
            • Instruction ID: ec1be51e4740afcd56090ef32bd168a197320e1b82b5f9493d762535c8f7794f
            • Opcode Fuzzy Hash: 96ee2b85ca684afc49fe64cd23802ffb7924bb157a050794a9129f6545a4e4bb
            • Instruction Fuzzy Hash: 5F312A71600301ABDF309F699C49A6EB7B5FB94B04F260019F911E73A1C7709E82EBE1
            Function 00C29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
            • API String ID: 0-1391187441
            • Opcode ID: 2b53b813dcd07230fd6ed00b7cb98034e934614db4f31dddcc90eaf2e7cf6c19
            • Instruction ID: a4bfd4b6a186dc3699fcf58a090b8fd4af7df7f73875e01d225e0c648efd8611
            • Opcode Fuzzy Hash: 2b53b813dcd07230fd6ed00b7cb98034e934614db4f31dddcc90eaf2e7cf6c19
            • Instruction Fuzzy Hash: A631B072600225EFCB15EB46D889FEEB7B8EF45B24F144061F914AB691D770ED80EB60
            Function 00C429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 00C43264
            • HEAP[%wZ]: , xrefs: 00C43255
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00C4327D
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: 00a653c90b98601b190060b62359569d675c4bbda55257e3a09aef2ac17b61be
            • Instruction ID: d56fa69c649107f9241da399b60c59840a7a64b960f365e00be27b2a395ac79e
            • Opcode Fuzzy Hash: 00a653c90b98601b190060b62359569d675c4bbda55257e3a09aef2ac17b61be
            • Instruction Fuzzy Hash: A392CD71A042889FDB25CFA9C4457AEBBF1FF48300F188059E85AAB391D734AE45DF50
            Function 00C41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 9207f2e4e9e5987336fa3ad8eeb4ee39bbbff93038591492d8721e7485e1d8d5
            • Instruction ID: c785eca76ebe034b9686a5cfaffd7d52b4e79e17bb651c7ddc971b51f7d5fad2
            • Opcode Fuzzy Hash: 9207f2e4e9e5987336fa3ad8eeb4ee39bbbff93038591492d8721e7485e1d8d5
            • Instruction Fuzzy Hash: 052212706006459FDB16DF28C49AB7ABBF5FF05704F248499E8658B382D735DE82CB50
            Function 00CD94E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $0
            • API String ID: 0-3352262554
            • Opcode ID: dfea0d430858060f38ac77550dc18551c89094fbe5696aa91c7281fe2bdcdf7c
            • Instruction ID: cdd210adee563b5d0b015834b4131534a672680b21e511c993bcd009c5e52c3f
            • Opcode Fuzzy Hash: dfea0d430858060f38ac77550dc18551c89094fbe5696aa91c7281fe2bdcdf7c
            • Instruction Fuzzy Hash: B93210B56083818FD360CF69C884B9BBBE5FB88304F14492EF6A987350D775E949CB52
            Function 00C40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: 87fa616cb24d62d28bce1a1dad27453b59198fd48836983646f86bbad8a54272
            • Instruction ID: 18dfe1e3b727258f3307a2e590c5ad41c0e3a5c6011b99ba15a581171c79efb0
            • Opcode Fuzzy Hash: 87fa616cb24d62d28bce1a1dad27453b59198fd48836983646f86bbad8a54272
            • Instruction Fuzzy Hash: 56F1CC30B40A05DFDB25CF69C894B6AB7B5FF44300F248168E5269B392D734EE81DB91
            Function 00C31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 00C31596
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00C31728
            • HEAP[%wZ]: , xrefs: 00C31712
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 20b7a3070ec73a10ea1a1686a6eba0dcff87f370b29cff0de01088ca6846b142
            • Instruction ID: 051fecbb5d1fbcd34098d716e6623ea10d7bdce4643e8f308a0ff35e59bf364e
            • Opcode Fuzzy Hash: 20b7a3070ec73a10ea1a1686a6eba0dcff87f370b29cff0de01088ca6846b142
            • Instruction Fuzzy Hash: FEE12370A146459FDB29CF69C451B7ABBF1EF84304F28846DE8A6CB242E734EA41DB50
            Function 00C56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: eabd6a2efb3b3b70796980606c4f0966a577e39be8eb273271d80ad9077be2e4
            • Instruction ID: b89dcb700dee5e15ca179e239faec949db9eddde0b2518b35abe75811a7d81d9
            • Opcode Fuzzy Hash: eabd6a2efb3b3b70796980606c4f0966a577e39be8eb273271d80ad9077be2e4
            • Instruction Fuzzy Hash: B0C2BB7560C3418FDB25CF25C885BABBBE5AF88304F048A2DF999C7241D734D988DB96
            Function 00C2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: a0c41376ebb128eb2ab9a7b642c204591117ff892e505def77294ecf88a3c9ae
            • Instruction ID: 747878300e456bcd3beee0dbec0311e023ada72da759f9f7b4370baea3d0ea32
            • Opcode Fuzzy Hash: a0c41376ebb128eb2ab9a7b642c204591117ff892e505def77294ecf88a3c9ae
            • Instruction Fuzzy Hash: CDA167719016299BDB31AF24CC88BEAB7B8EF48714F1041EAE909A7250D7359FC5CF64
            Function 00C3B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
            • API String ID: 0-373624363
            • Opcode ID: f2c17710c792f33b8f2afd66b7f2d0e955e9de2738501a660eaa1221657e5458
            • Instruction ID: dfe7b5a0f8c69ab6a06a675c8ae81d1613a13788745399814c0845ede323f6dd
            • Opcode Fuzzy Hash: f2c17710c792f33b8f2afd66b7f2d0e955e9de2738501a660eaa1221657e5458
            • Instruction Fuzzy Hash: BC91BCB1A14649CFDF25CF99C545BEEB7B0FF00314F24419AE921AB292D7789E80CB94
            Function 00C6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %$&$@
            • API String ID: 0-1537733988
            • Opcode ID: 70610d4fdade2192107c722134b7b39658db5b1d669f080b4570a6c504b8f009
            • Instruction ID: 8f0a0f803d3fb8f7c4b647843de5b023c7a33246bb49d677da3a31fae1598e44
            • Opcode Fuzzy Hash: 70610d4fdade2192107c722134b7b39658db5b1d669f080b4570a6c504b8f009
            • Instruction Fuzzy Hash: 577191706087429FC724DF15C5D0A2BB7E9FF99718F20891DF4AA87251C730D905DB52
            Function 00C515F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrmap.c, xrefs: 00C9A59A
            • Could not validate the crypto signature for DLL %wZ, xrefs: 00C9A589
            • LdrpCompleteMapModule, xrefs: 00C9A590
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
            • API String ID: 0-1676968949
            • Opcode ID: d3df124b7ac2efe4de3c7bca505d9ffc5862c1a88395f182d459de5a05f0a93c
            • Instruction ID: ff5cb9ada07395a7e468fc94e8b77a9dddb20987c847382e330329e50a0aec36
            • Opcode Fuzzy Hash: d3df124b7ac2efe4de3c7bca505d9ffc5862c1a88395f182d459de5a05f0a93c
            • Instruction Fuzzy Hash: 9D511138700B809BDB21CB18C988B2A77E4EB00714F1D0564FD619B6E2CB74EE85D789
            Function 00CDDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 00CDDC1F
            • HEAP[%wZ]: , xrefs: 00CDDC12
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 00CDDC32
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: 967d2aeb0fe781d7ce9b7dda72315279f9be6ffce0f61e75d32b74d7c391b0ff
            • Instruction ID: 2ffd1a0b7730414996356a489ce4a2ea0a9deaa3b19d702d61f31493b79d825d
            • Opcode Fuzzy Hash: 967d2aeb0fe781d7ce9b7dda72315279f9be6ffce0f61e75d32b74d7c391b0ff
            • Instruction Fuzzy Hash: E5513335914210ABE324CF2AC88477277E1DB55348F26888BE6E3CB781D275ED43EB60
            Function 00C2758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
            • API String ID: 0-1151232445
            • Opcode ID: bff4ed11776ee56ac6d9c915828715af000d46ae8cd6d38174c7e3f325693d96
            • Instruction ID: 49df020bb58f85c5732a6d4d06d22f2c4aac8f25a8f07966ff89ff6bd208afec
            • Opcode Fuzzy Hash: bff4ed11776ee56ac6d9c915828715af000d46ae8cd6d38174c7e3f325693d96
            • Instruction Fuzzy Hash: B7415B703046608FEF39EB9DD0C477677E09F01308F18416AE5568BA52D7B4DD86CB56
            Function 00CEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 00CEC1F1
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00CEC1C5
            • PreferredUILanguages, xrefs: 00CEC212
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: ee12191afee21530d9946c1bac362cb4477bb599e5f311179c4f8118486a8291
            • Instruction ID: 7cd44a5a6c4dd735b25287df53b1d8544d4bc733e8cd8a4e1df08a1b1b6a8b7c
            • Opcode Fuzzy Hash: ee12191afee21530d9946c1bac362cb4477bb599e5f311179c4f8118486a8291
            • Instruction Fuzzy Hash: E1418D72E0025AEBDB11DAD5C881FEEB7B8AB14700F10406AEA15F7280D7B49E45DB90
            Function 00CC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: df7e1129c1d15601f40a02f78b00059b9c65e859c94c8dd46dc70620dcc121b9
            • Instruction ID: 41c8e4fe21e210aa2524f796f0463c721bffe20337c1378884e404ede0a1f1f2
            • Opcode Fuzzy Hash: df7e1129c1d15601f40a02f78b00059b9c65e859c94c8dd46dc70620dcc121b9
            • Instruction Fuzzy Hash: 35412471904288CBEB29DBD5C861FADB7B4FF55340F28445EE851EB391D7348A41DB10
            Function 00C633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • RtlCreateActivationContext, xrefs: 00CA29F9
            • SXS: %s() passed the empty activation context data, xrefs: 00CA29FE
            • Actx , xrefs: 00C633AC
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
            • API String ID: 0-859632880
            • Opcode ID: 313881a3c3f64f05065b8cf35635d96e8271928246cc6c84649781396106c3f2
            • Instruction ID: 9721a8acc1d7f7dbe4092d80a0f5411b3fd6920d661a2b3834744fbefa5bf043
            • Opcode Fuzzy Hash: 313881a3c3f64f05065b8cf35635d96e8271928246cc6c84649781396106c3f2
            • Instruction Fuzzy Hash: A43122326003529FDB26DE68D8C5BA6BBA4FB45714F158429FD059F292CB30EE41DB90
            Function 00CBB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
            Download Yara Rule
            Strings
            • GlobalFlag, xrefs: 00CBB68F
            • @, xrefs: 00CBB670
            • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 00CBB632
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
            • API String ID: 0-4192008846
            • Opcode ID: 7e7e830638e9c7571ad8991ff93f7cb9d1ec851451a79a8dffad81120c7fedcd
            • Instruction ID: d209ec7db55fcd0f739e5396f8c4cfa431179246b10c04f67083ee7b28c0a231
            • Opcode Fuzzy Hash: 7e7e830638e9c7571ad8991ff93f7cb9d1ec851451a79a8dffad81120c7fedcd
            • Instruction Fuzzy Hash: 0F313AB1A00219AFDB14EF94CC81AEEBBB8EF48744F144469FA05A7151E7B49F40DBA4
            Function 00C71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
            Download Yara Rule
            Strings
            • @, xrefs: 00C712A5
            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00C7127B
            • BuildLabEx, xrefs: 00C7130F
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 0-3051831665
            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction ID: 6aa472baed62810db81b259135de5e0de46f73736de6c61265a7efcb72169847
            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction Fuzzy Hash: F531E272900519AFCB11EF95CC45EEEBBBDEB84724F048021F918A7161D730DE05EB50
            Function 00CB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • LdrpInitializationFailure, xrefs: 00CB20FA
            • Process initialization failed with status 0x%08lx, xrefs: 00CB20F3
            • minkernel\ntdll\ldrinit.c, xrefs: 00CB2104
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: fdaecb05d0339a306f8b253ff79e168cbb0db4d8b4dd9e519f2be4d2051c1f0c
            • Instruction ID: c6468ed7a24a35958ed438994671eacf0f2fb2089ec397dc1744b0375d0fd6eb
            • Opcode Fuzzy Hash: fdaecb05d0339a306f8b253ff79e168cbb0db4d8b4dd9e519f2be4d2051c1f0c
            • Instruction Fuzzy Hash: 3EF0F675680308BBEB24EB4CDC43FDE3768EB41B54F100065FA00BB6D1D2B0AE51E6A1
            Function 00C403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: f701932f30f0e002f2c990a12c9fd15a2218dae75fe861de78827b97f2fdca7c
            • Instruction ID: 13fb2ce70fdbd5d9c22480e84012a5b3fc4a887187526643d7f958aa2871d0ee
            • Opcode Fuzzy Hash: f701932f30f0e002f2c990a12c9fd15a2218dae75fe861de78827b97f2fdca7c
            • Instruction Fuzzy Hash: 18713872A0014A9FDB05DFA8C995FAEB7B8FF48704F244065E905E7252EB34EE01DB61
            Function 00CD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: kLsE
            • API String ID: 3446177414-3058123920
            • Opcode ID: 0cd8ceda55ff50c7f9710e32f4abbe4058958542bbf9006040a1d0269d8cffc7
            • Instruction ID: 9edd80096558b58cd9697e8930279b67f90c1aa164724b681a5e1f78ecdf2d4a
            • Opcode Fuzzy Hash: 0cd8ceda55ff50c7f9710e32f4abbe4058958542bbf9006040a1d0269d8cffc7
            • Instruction Fuzzy Hash: 51417B3150535547D731AB64EC46B693BA0EB50B24F14031AFE60CB3E2DB709987DBB1
            Function 00C452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: 3e3c12082caaa11aed825ca7d1b9c3f3794e8a4c8eac5aa2357a3655152ae43d
            • Instruction ID: 71fe8db7387567d09dcadc89286b1157584af60f8846cf72cb0f7742fdfa61ff
            • Opcode Fuzzy Hash: 3e3c12082caaa11aed825ca7d1b9c3f3794e8a4c8eac5aa2357a3655152ae43d
            • Instruction Fuzzy Hash: 243288706087118BCB24CF19C484B7EB7E1BF88740F55492EF9A59B2A1E734DE84DB92
            Function 00CFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: 1d3b43e7d85274a0d4d94e38cf1a5999044bd61f5ffa3be995d29ad9c86881f4
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: 5DC1DF7120434A9BDB64CF28C841B2BFBE5AF84314F184A2DF6A9CA291D774DA05CB43
            Function 00C30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • Failed to retrieve service checksum., xrefs: 00C8EE56
            • ResIdCount less than 2., xrefs: 00C8EEC9
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: f23066487e1ead95066ff139235c1537920b7c4ba1ccb8ea803f5e2b91921859
            • Instruction ID: 9b77641fc6fe458ea70f49df38f7000b981da35cd616eec29919a0691424386d
            • Opcode Fuzzy Hash: f23066487e1ead95066ff139235c1537920b7c4ba1ccb8ea803f5e2b91921859
            • Instruction Fuzzy Hash: 5BE1F3B1918784DFE324CF15C441BABBBE0FB88314F508A2EE5998B391DB709949CF56
            Function 00C304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
            Download Yara Rule
            Strings
            • kLsE, xrefs: 00C30540
            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00C3063D
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
            • API String ID: 0-2547482624
            • Opcode ID: 6cf41f0defdf1d10592e932e4235a381d13e078c9bd4df7ad6782035eb8878fa
            • Instruction ID: d6366444743500cd90b51a4536a7905f3824659b3fab5c9b3f4f21d03e4bc9c8
            • Opcode Fuzzy Hash: 6cf41f0defdf1d10592e932e4235a381d13e078c9bd4df7ad6782035eb8878fa
            • Instruction Fuzzy Hash: 4F51CF725247428FC724EF64C5556A7B7F4AF84304F20883EF9AA87241E770EA45CF96
            Function 00602CD8 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$gfff
            • API String ID: 0-2662692612
            • Opcode ID: 2349c232202e9f9bcaeadedb7bb7f3ea50b218890ce27f780be531d26c08b0cf
            • Instruction ID: baf97d0226c42ece64d31d582abd60112bd5214e582a11d7e78e1f4cea971e26
            • Opcode Fuzzy Hash: 2349c232202e9f9bcaeadedb7bb7f3ea50b218890ce27f780be531d26c08b0cf
            • Instruction Fuzzy Hash: C3415632B4015A4BDB28895DDC947EAB697EFD8300F1982BADD4CCB3E1D534ED058780
            Function 00601C25 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$gfff
            • API String ID: 0-2662692612
            • Opcode ID: 2abe95922023d5b840c95274a31f8f0c8b8d11c5561ed4fc86364f92b5c95d59
            • Instruction ID: 8fa54704f4eb79ca42260d780f43dd058e09c725b7962ae9fb22a4121f2af7db
            • Opcode Fuzzy Hash: 2abe95922023d5b840c95274a31f8f0c8b8d11c5561ed4fc86364f92b5c95d59
            • Instruction Fuzzy Hash: 41312672F801284BDB1C8D5D888019AB7A7DBD6314B1982BEED4ADF3D0F635DE1186C0
            Function 00C3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Enter, xrefs: 00C3A2FB
            • RtlpResUltimateFallbackInfo Exit, xrefs: 00C3A309
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 005e79097f4e2f15be2e88b2413ed0132c725cf08a664569d7fb4284a2994ed1
            • Instruction ID: a8d3be113fe55cc509def8089815dfa5d7f2afac13451898f962a9f2c681a21b
            • Opcode Fuzzy Hash: 005e79097f4e2f15be2e88b2413ed0132c725cf08a664569d7fb4284a2994ed1
            • Instruction Fuzzy Hash: 1141CE71A14649DBCB21CF69C884BAE77F4FF84700F2440A9E8A5DB2A1E375DE40DB51
            Function 00CC35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
            • API String ID: 0-118005554
            • Opcode ID: 113f96fd3a480bc49f6561536e715b9658405dbceda29645ed55edae6f376992
            • Instruction ID: 0d4b8a5b926a3da1cfcc4abb5d27cf10bbe00725cd8118daf0c7a4125aa4cab2
            • Opcode Fuzzy Hash: 113f96fd3a480bc49f6561536e715b9658405dbceda29645ed55edae6f376992
            • Instruction Fuzzy Hash: D631CD31208781ABD312DB69E845B2AB7E4FF85714F14486DF864CB391EB70DA05CB96
            Function 00C6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local\$@
            • API String ID: 0-380025441
            • Opcode ID: 49669df9d247ded9b30f4d03b85b231d3ec0cb80ce9b7bbc9c34026503b932b1
            • Instruction ID: 1f8e23cd17122a4196fdd1bcabff7bff03befc4ea80771fa28d4fe5b82036795
            • Opcode Fuzzy Hash: 49669df9d247ded9b30f4d03b85b231d3ec0cb80ce9b7bbc9c34026503b932b1
            • Instruction Fuzzy Hash: 9E31A1725083449FC321DF29C8C1A6BBBE8FB85764F40092EF99583361DA30DE06DB92
            Function 00C634B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
            Download Yara Rule
            Strings
            • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 00CA2A95
            • RtlpInitializeAssemblyStorageMap, xrefs: 00CA2A90
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
            • API String ID: 0-2653619699
            • Opcode ID: 9338be9b6055471875b7e567905822fe0526aacead85548f0b75f6e868f81f08
            • Instruction ID: 2fa2b7cf95695d5755e7480ac3e45166cd3154fc2376b30ddb3a8af6e6133ad8
            • Opcode Fuzzy Hash: 9338be9b6055471875b7e567905822fe0526aacead85548f0b75f6e868f81f08
            • Instruction Fuzzy Hash: 56114071B04215FBE7368A4DCD81F7BB6A9DB95B54F24806DB904DB280D674CF00A790
            Function 00C6A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Cleanup Group$Threadpool!
            • API String ID: 2994545307-4008356553
            • Opcode ID: 3fead92ae700db2a8f30db20bb83d468d821d6f95631c5c099b3f450c5fbe609
            • Instruction ID: 63ebf826662be597c08fcbe54257af09560af230939291b8d6345e260b7ca5f6
            • Opcode Fuzzy Hash: 3fead92ae700db2a8f30db20bb83d468d821d6f95631c5c099b3f450c5fbe609
            • Instruction Fuzzy Hash: 0D01D1B2240740EFD331DF14CD8AB1677E8EB54716F048979B558C7190E334D805DB46
            Function 00C3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: 650d0b8d24aa7a7d6b038ceb959ca6f913f7e759cdbc4fa3d66d9c97115a45bf
            • Instruction ID: 4a697300db4b8a6a56d2edcf74c75dc1f983ab55faa1245b2487c985b4441184
            • Opcode Fuzzy Hash: 650d0b8d24aa7a7d6b038ceb959ca6f913f7e759cdbc4fa3d66d9c97115a45bf
            • Instruction Fuzzy Hash: 49825C75E102188FDB24CFA9D980BEDB7B5BF48710F148169E86ABB251D7309E81CF51
            Function 00C82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: P`vRbv
            • API String ID: 0-2392986850
            • Opcode ID: 8311a880293e0ec6b51ed95d4e83373bff69492dc03e824058d2febde520522a
            • Instruction ID: 8f6ecf4c7b58bc2c66f3cafbf3d11d32932163d3e5ac51ecd110ca822547c69e
            • Opcode Fuzzy Hash: 8311a880293e0ec6b51ed95d4e83373bff69492dc03e824058d2febde520522a
            • Instruction Fuzzy Hash: C5421871D042D9AEDF28FF68D8496BDBBB0AF05B18F24901AE461AB290D7348F41D75C
            Function 00C37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 908c1405592ed6693a45d39751f32657cdee7f049b2bdae70417566cad23e60d
            • Instruction ID: 7b06e03379e849e8a56bea0a3b86db41c9d5bcec28a9e34b698a966c6a0a6673
            • Opcode Fuzzy Hash: 908c1405592ed6693a45d39751f32657cdee7f049b2bdae70417566cad23e60d
            • Instruction Fuzzy Hash: 84A179B1618742CFC724DF29C480A2ABBE5BF98304F244A2EF59587351E730EA45DF92
            Function 00C52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: ddf78c11fdd522482c567f009a2d6b6e1cf2a35f198d590c89cbde9ed93e37f6
            • Instruction ID: 2a4e62b4be18ac927c9f613efe0be1a02d1235a0fe288546323e722b10f7c6c1
            • Opcode Fuzzy Hash: ddf78c11fdd522482c567f009a2d6b6e1cf2a35f198d590c89cbde9ed93e37f6
            • Instruction Fuzzy Hash: 66F1C0796047818FCB21CF25C484A6BBBE1AFC8751F14482DFC5987291CB34DE89DB5A
            Function 006169CE Relevance: 1.7, Strings: 1, Instructions: 425COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 75af2a8d2852c8ad7cda522844974fdaf23f90bb713bc88d26c29e396c8d1058
            • Instruction ID: 4099a08a0d358541706846b7cff12f276e1448b2a40219fb42e2e2431431b011
            • Opcode Fuzzy Hash: 75af2a8d2852c8ad7cda522844974fdaf23f90bb713bc88d26c29e396c8d1058
            • Instruction Fuzzy Hash: 87022DB6E006199FDB54CF9AC8805DDFBF2FF88314F1AC1AAD849A7315D6746A418F80
            Function 006169D3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: ed44919d4a46fbc42abf4d1230c5b4a59c87e63ae687d83fc1cbd272103d9cd4
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 9B022DB6E006199FDB54CF9AC8805DDFBF2FF88314F1AC1AAD849A7315D6746A418F80
            Function 00C32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PATH
            • API String ID: 0-1036084923
            • Opcode ID: 52301342f5ea68a3fc78c2715cb8d4f931ca815f9f126cdd64c006b84f5ffa3a
            • Instruction ID: e44af85d2e18ff4bbc5139316270ddd626953ddb88327641aa5d8b22c411e379
            • Opcode Fuzzy Hash: 52301342f5ea68a3fc78c2715cb8d4f931ca815f9f126cdd64c006b84f5ffa3a
            • Instruction Fuzzy Hash: 8BF1AE71D20298DBCB25DF99D881ABEB7B1FF88700F548029E905EB361D7349E42DB61
            Function 00C30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: d04b4ad5dfcfa17decb26131eaadb02d718a0c864d1b781f9bd5f25ab6fe5924
            • Instruction ID: 3c1327fae165d6cfa716c26d643028ad91dcf318271f0ce018c77497ae58f7d7
            • Opcode Fuzzy Hash: d04b4ad5dfcfa17decb26131eaadb02d718a0c864d1b781f9bd5f25ab6fe5924
            • Instruction Fuzzy Hash: B1A16A33A243686BDF28DA25C865BFF77A45F55308F244099FD9AA7281C770CE40DB58
            Function 00601200 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: >HOb
            • API String ID: 0-2607079240
            • Opcode ID: de68c99ddc9fec5f5bdb38f15499cb118633850d39761c316136a5a8ddc3beb9
            • Instruction ID: 044dfc6e58b0688cf93b881bed729abcb6b70a88746575d79f389d1eec9e0513
            • Opcode Fuzzy Hash: de68c99ddc9fec5f5bdb38f15499cb118633850d39761c316136a5a8ddc3beb9
            • Instruction Fuzzy Hash: 3351A071E5074A87CF0CCF99C8911EEB772EFA6304F14835AE915AE381E7749A81CB94
            Function 00CEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PreferredUILanguages
            • API String ID: 0-1884656846
            • Opcode ID: b4adf6798aac9f8b7630bfc16d9716c170379cfbe5079bb5781ab5019ce6c7fa
            • Instruction ID: bb4ee8217017da096f7eedc61ca1e62d358e43be14a7125f780186cb80a79d9b
            • Opcode Fuzzy Hash: b4adf6798aac9f8b7630bfc16d9716c170379cfbe5079bb5781ab5019ce6c7fa
            • Instruction Fuzzy Hash: FB41F336D00299ABCB11DA96C882BFFB3B9EF44750F110166F911EB264DB30DE40C7A0
            Function 00C67505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
            • Instruction ID: fa97c8361d229d485d3e37702724a711f42ad6ab199bf2d62db8b3023768fa6c
            • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
            • Instruction Fuzzy Hash: E841CD75A04616EBCF24DF48C490BBEB3B4FF85709F104A9AE912A7200DB34DE41CBA1
            Function 00C35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx
            • API String ID: 0-89312691
            • Opcode ID: 73642a5eb332e2a1ead7bd0d3edf88ab925caea0242d1cfb35b0b80f5b4ee15c
            • Instruction ID: c0b622c2b4c246a74306cfc1a469137775ee7565fae8019f1f5d747b05f81829
            • Opcode Fuzzy Hash: 73642a5eb332e2a1ead7bd0d3edf88ab925caea0242d1cfb35b0b80f5b4ee15c
            • Instruction Fuzzy Hash: 5C118230729E028BEB2C491E885477AB2D5EB95364F34853AE472CB391D673DD41D780
            Function 00C6E8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 588767fb2aa6d1f41a21c3f47cede86ce6c3e32f49274fdf632e071a8d54706b
            • Instruction ID: 0a59f5b0a5f3b9b347f65d40423d54c813cfcf015d180e4c36f8c637d6951891
            • Opcode Fuzzy Hash: 588767fb2aa6d1f41a21c3f47cede86ce6c3e32f49274fdf632e071a8d54706b
            • Instruction Fuzzy Hash: 8C822172F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
            Function 00C7516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d5bac9a4b6eadc35af3ecd2e4f2a113ea3cb40534a3e8726a12e6a6a037d5e64
            • Instruction ID: 763cbdfb3711c36ff8d1113f4410598a2ce486200363934e65a1251ca4b2fbe4
            • Opcode Fuzzy Hash: d5bac9a4b6eadc35af3ecd2e4f2a113ea3cb40534a3e8726a12e6a6a037d5e64
            • Instruction Fuzzy Hash: 8C62BD76908A8AAFCF14CF08D4905AEBB62FE51314B59C65CC8AE27705D3B1BE44CBD1
            Function 00C8739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e677aa4aae7ea560b637acdc5696329f36271d9aac4a61c987efb7804302735a
            • Instruction ID: 7e7a8ea26287719c45f0b4434ae2c9c308a49e2bee3ca126068717c5861647ed
            • Opcode Fuzzy Hash: e677aa4aae7ea560b637acdc5696329f36271d9aac4a61c987efb7804302735a
            • Instruction Fuzzy Hash: E842B271A046168FDB19DF59C4806BEF7B2FF88318B24826DE552AB350E734ED42CB94
            Function 00C85AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 00C5B2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7d07719057152e2a6a39d4cdedbd5269715db1daae6dd23fe1f6b075b5ccda73
            • Instruction ID: 08df2b829a749486fd80cb4dc40c018b5779d7c3e14320dff53c83007b825574
            • Opcode Fuzzy Hash: 7d07719057152e2a6a39d4cdedbd5269715db1daae6dd23fe1f6b075b5ccda73
            • Instruction Fuzzy Hash: EA32BE75E00219DBCF24DFA8C884BAEBBB1FF54714F184029E815AB391EB359D85CB94
            Function 00C42840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4243901e707716e91a4ff761455090a0025c20b12d9de1574a359fb4d765280f
            • Instruction ID: 86485537253b500471386d4083697ed0af0fbd6f5455dc044d90987371f9e1ee
            • Opcode Fuzzy Hash: 4243901e707716e91a4ff761455090a0025c20b12d9de1574a359fb4d765280f
            • Instruction Fuzzy Hash: ED32DE70A007558BDF24CF6AC849BBEBBF2BF84304F24411DE4969B6C5D735AA42DB50
            Function 00CDA118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8106195692924e0729bd5ce040569a35830b94fd3b9475e791ef9aaca03afc7b
            • Instruction ID: a69be4ea4112605619204ad35380d3d47f29bf9d684e13dbbb3e7dab6a07c9a4
            • Opcode Fuzzy Hash: 8106195692924e0729bd5ce040569a35830b94fd3b9475e791ef9aaca03afc7b
            • Instruction Fuzzy Hash: 2322D270204651CFDB24CF2AC094376B7F1AF44300F18845BEAA68F396E775DA52EB62
            Function 00CF16CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a2b9d9d56925d2ccef5eddb59898e7acdd226c436bcef9e0e941e67b98c20225
            • Instruction ID: c81e44c2670d3c192e3631af9d26c33ce75c1aa8334af1cd788c76bb64025cf4
            • Opcode Fuzzy Hash: a2b9d9d56925d2ccef5eddb59898e7acdd226c436bcef9e0e941e67b98c20225
            • Instruction Fuzzy Hash: D2229135A0021ACFCB59CF59C4906BAB7B2FF88314B28456DDA65DB345DB30AE42CB91
            Function 00C5FB80 Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 033b0eb982b4f19afd25567c3b39308ee01f5ae1e5adc91a472cb9fb91ec6d56
            • Instruction ID: 5df23505f05f5d63d1f85d347eb1a04ea9ce91baff561408caff9d17aa20565f
            • Opcode Fuzzy Hash: 033b0eb982b4f19afd25567c3b39308ee01f5ae1e5adc91a472cb9fb91ec6d56
            • Instruction Fuzzy Hash: 3722D67490020ADFDF14DFA4C881BAEB7B5FF45354F2481A9E824DB285E734EA85DB90
            Function 00CF1D5A Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 66ff76a2f2c35fd782bf60ff5d31c1738b8fb20e4230a34649c80706bbd2d5be
            • Instruction ID: f8ee01fe2749f47486af8279d27e803eadaaec862786dd450e03b91544fd70ea
            • Opcode Fuzzy Hash: 66ff76a2f2c35fd782bf60ff5d31c1738b8fb20e4230a34649c80706bbd2d5be
            • Instruction Fuzzy Hash: 9E2290316047168FC759CF19C490A3AB3E1FF99314B148A6DEAA6CB351DB30ED46CB92
            Function 00C58DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6bfad0b22bd98ca266329ada08d1bafcac509eb729fb975d3ff760f0ada86811
            • Instruction ID: 1100565c56b20ebb3433d6b09b2697155c87c05c45c89f3f4f35d632adacbab1
            • Opcode Fuzzy Hash: 6bfad0b22bd98ca266329ada08d1bafcac509eb729fb975d3ff760f0ada86811
            • Instruction Fuzzy Hash: C0225C74E0021ADBCF14CF95C4859BEBBF2FF48705B24805AE856AB241E734DE86DB64
            Function 00CF2446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba52100cea3ee4b60899c3c31c2a3692f21733d1446ded54aa1deacf63f1c63d
            • Instruction ID: 0f6efccce56ea43852b70c4fa3e8d4669b04ed4b94280f5e73b2673c6700f0bf
            • Opcode Fuzzy Hash: ba52100cea3ee4b60899c3c31c2a3692f21733d1446ded54aa1deacf63f1c63d
            • Instruction Fuzzy Hash: 980226356046598BDBA4CF2AC450375BBF1EF55300B19819AEAE6CF281D334DA42EB62
            Function 00D0B16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 69f3a6416f2a2986c2fcb4d2df233f88907b5b18764d2b91710a472d88863874
            • Instruction ID: b88d89ea7faace0905ec26f99a25bd3c5e76bce349436e4abeeae6a5f1be94aa
            • Opcode Fuzzy Hash: 69f3a6416f2a2986c2fcb4d2df233f88907b5b18764d2b91710a472d88863874
            • Instruction Fuzzy Hash: ECF1E572E046118BCB18CF69C9A177EBBF5AF98320719416AD49ADB3C1D734EE41CB60
            Function 006102D3 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: 808c1db8bf52cc5685c76deeff434067c27cb59f176d0ab3faeca3776c28c8c8
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: 82026E73E547164FE720CE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA79BA525A90
            Function 00D0A9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: add64cbe4d255e0e2d74044660d5018d4ea7b8b27fa941bb5c035002acbfe61f
            • Instruction ID: 35d108acfdf81d1131bf08c2bc6abdd93f17b0fecec7b1d58517ccae9fe2068b
            • Opcode Fuzzy Hash: add64cbe4d255e0e2d74044660d5018d4ea7b8b27fa941bb5c035002acbfe61f
            • Instruction Fuzzy Hash: EAF1B672E006269BCB18CE6CC5A167DFBF5AF543107194169E85AEB3C1D734DE41CBA0
            Function 00C5FDC0 Relevance: .4, Instructions: 390COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 11f25be504fb93d934819f9bf49e7e7625a655a5b5ba0355dcf5466349dcc61f
            • Instruction ID: 54d2fc61f99223e4bcb0aaf798b102b4504124ada82e8aa75674932375a605a7
            • Opcode Fuzzy Hash: 11f25be504fb93d934819f9bf49e7e7625a655a5b5ba0355dcf5466349dcc61f
            • Instruction Fuzzy Hash: 20F1B17090020ADFDB14DFA4C881BAEB7B4FF49318F2485A9E815DB256E734DE85DB90
            Function 00C365D0 Relevance: .4, Instructions: 383COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c4869449fd068423e44bf8ca96a8aaad23058197f3fedaa05b159daea8cd658
            • Instruction ID: 58f52472c6efa138f6da0ab0ade5f69ace3824e0a6ab58238afca9a3837eb901
            • Opcode Fuzzy Hash: 3c4869449fd068423e44bf8ca96a8aaad23058197f3fedaa05b159daea8cd658
            • Instruction Fuzzy Hash: D7E18C71518341DFC714CF28C090A6ABBE0FF99318F55896DF9A98B351DB31EA05CB92
            Function 00C28397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd4ce7c495b9d749fb0b480652bc8a73c6e36032ec095c7b1fec230f35ebc40d
            • Instruction ID: 00de19a548b617cb8319ceaec675f3ebcb0d75934d35169fe68c506bfda21fec
            • Opcode Fuzzy Hash: fd4ce7c495b9d749fb0b480652bc8a73c6e36032ec095c7b1fec230f35ebc40d
            • Instruction Fuzzy Hash: 43D12671A012269BCB14EF25D891EBA73B0FF54708F144229F815DB681EF34EE48DB50
            Function 00C5C6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6a8cbf8c832cf76c4080ef74d43103b840258b6ca0bca8a9d1ab07b57629933
            • Instruction ID: 475e1fa2396c62cb8b604b1957375c21373688157ddd842efa2c95c78ab43f10
            • Opcode Fuzzy Hash: a6a8cbf8c832cf76c4080ef74d43103b840258b6ca0bca8a9d1ab07b57629933
            • Instruction Fuzzy Hash: 92D15F39E043198FDF28CA99C5C53BDBBB1FB54342F24801AD852A7295D7748EC9EB48
            Function 00C438E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b5e7ba75da21fdfb7076a3a196c4e2e753836a4020212f49ec0cdf173b4ade6
            • Instruction ID: be9d69eae1e4a3ea8f37e5b08e1fb9b6752225c6596359e6e1b5653c31483064
            • Opcode Fuzzy Hash: 0b5e7ba75da21fdfb7076a3a196c4e2e753836a4020212f49ec0cdf173b4ade6
            • Instruction Fuzzy Hash: C4E16A75A00245CFDB18CF59C894AAAB7F1FF98310F2481A9E855EB391D730EE41DBA4
            Function 00C4F460 Relevance: .3, Instructions: 321COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 826b9fbe55e87393a82131aa80870e27d1613a7a93b27307dfb35f8cfb5c6f29
            • Instruction ID: cfb763fd426b050aa1673ae308dfa6056c142e6b0b8053cbb92af2814e2274fb
            • Opcode Fuzzy Hash: 826b9fbe55e87393a82131aa80870e27d1613a7a93b27307dfb35f8cfb5c6f29
            • Instruction Fuzzy Hash: CBC11371A012218BCB24DF19C490BB977B1FB54714F1A416DEC529B3A5EB30CE42CBA4
            Function 00C40535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 0d5331d3708edd5a0b3f8337dd5767fc91a837e6431da4f625a3adeddbc18e5d
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: B0B1F631600645AFDF25DBA5C855BBEB7F6FF84300F244169E65297282D730EE42DB50
            Function 00C590DB Relevance: .3, Instructions: 287COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d748aad9c29311a142c2db4251c7b95ad4a12c6f0402ec5f0921da09cc090a70
            • Instruction ID: 8717e6d41f8b837e665c4d67e2cc631dff4539a560065057fb89d901abb2c715
            • Opcode Fuzzy Hash: d748aad9c29311a142c2db4251c7b95ad4a12c6f0402ec5f0921da09cc090a70
            • Instruction Fuzzy Hash: 60A18971900615AFEF22DFA4CC86FAE77B8EF45790F010094FA15AB2A1D7759E40DBA0
            Function 00C383C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d60723a9c088d298a435f247b9326a7686b9d340968cfbfda02a9024677deadd
            • Instruction ID: 53fbbcebd7f81fa48beff3ab92cc438aeb6d3aff7f6989e9025eeca65e6f231e
            • Opcode Fuzzy Hash: d60723a9c088d298a435f247b9326a7686b9d340968cfbfda02a9024677deadd
            • Instruction Fuzzy Hash: C4C157701183418FEB64CF15C495BAAB7E4FF88304F44496DF99987291DB74EA08CF92
            Function 00C2C427 Relevance: .3, Instructions: 280COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b9dd5a56e1d70eff7637c129f9f22b4d05a2326e34131578b86ba580c80ba29f
            • Instruction ID: cceecdae0099a91e83f7b72acf8282733d8efcf383d7752cdc418cd8a810301d
            • Opcode Fuzzy Hash: b9dd5a56e1d70eff7637c129f9f22b4d05a2326e34131578b86ba580c80ba29f
            • Instruction Fuzzy Hash: 44B18174A002658BDB34DF55D890BADB3B1EF44704F1085EAE40AE7681EB70EEC6DB25
            Function 00C5E5E7 Relevance: .3, Instructions: 278COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d7bcd2ca6be1cdc1e39444e8fd3fc09478fca0ab8e013000656315ce6643075
            • Instruction ID: c725b4f5e77628e6ddf335c26925b0411af5a3e6043f11eab68d73d9d65773c0
            • Opcode Fuzzy Hash: 9d7bcd2ca6be1cdc1e39444e8fd3fc09478fca0ab8e013000656315ce6643075
            • Instruction Fuzzy Hash: 85A14531E00618AFDF35DB98C848FAEB7A4AB04750F144129FD60EB291DB749F86CB95
            Function 00C70185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 590545e7feb78eb29e5f3620bb15b33a497213fcaf68d2ee35dd992758e0396a
            • Instruction ID: 1f890a0ef5c8c9d74ca7f8d6aa1eb557f547c14cfcb49ff50f1a0c17779cc37d
            • Opcode Fuzzy Hash: 590545e7feb78eb29e5f3620bb15b33a497213fcaf68d2ee35dd992758e0396a
            • Instruction Fuzzy Hash: 72A1C171A0071ADBDB24CF65C891BAAB7F5FF54318F208029EA19D7292DB34ED12DB50
            Function 00D04500 Relevance: .3, Instructions: 275COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ca94b359d9f04362b200fd294a5d4f1b41e690cdbcdb95bcd28bf3f02cfdb5f
            • Instruction ID: 77af54d3ee0b65b7f453a7386a574d8aa4b10f29364aef386efb8b20c71077c1
            • Opcode Fuzzy Hash: 5ca94b359d9f04362b200fd294a5d4f1b41e690cdbcdb95bcd28bf3f02cfdb5f
            • Instruction Fuzzy Hash: 28A1CCB2A006519FC721DF18C981F6AB7E9FF88704F454968F689DB6A1D334ED01CBA1
            Function 00C4E3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf8a117bd4ef57cfc5edda1617018f6c55823edf0476ca1da066b15953884c86
            • Instruction ID: f2eeb3a90f832ab076b9c981e1ec482473a1cfaa216b80b15178a59a53d84773
            • Opcode Fuzzy Hash: bf8a117bd4ef57cfc5edda1617018f6c55823edf0476ca1da066b15953884c86
            • Instruction Fuzzy Hash: 23915532A002258FDB24DB69C889B7EB7A1FF94714F164069FC15DB381EA34DE41DBA1
            Function 00C31131 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6c4af211c7b4d89eab91e8d6fb6f0aac3a995e2e2ffa218b4ab86c57c2c9af5
            • Instruction ID: 98bbf1958598c9a0869adcedf2f06b4098a4e293275fac42d0b23e3c050be8db
            • Opcode Fuzzy Hash: d6c4af211c7b4d89eab91e8d6fb6f0aac3a995e2e2ffa218b4ab86c57c2c9af5
            • Instruction Fuzzy Hash: 81B101756193808FD354CF28C580A6BBBE1BB88304F184A6EF899D7352D371E946CB56
            Function 00C39486 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 283cf23ee4af75489067ed06044bb150b03543edf81730de768d6c04c1e2524e
            • Instruction ID: 700b2f0c44009e812b513b7158d69897a1312405b0e1e3fb5bacb55f95be2b74
            • Opcode Fuzzy Hash: 283cf23ee4af75489067ed06044bb150b03543edf81730de768d6c04c1e2524e
            • Instruction Fuzzy Hash: 0BB15B759103058FCF26DF18D581BA9B7B0FF54318F24465AE8229B3A1D7B0D982DFA0
            Function 00C64750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: 87ae05344efa911c5efcfafdd68e100bda7519ead133e311a12aed97f0e8317e
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: A8816A31A043D6CFDB394EADC8D026DBB51EF57304F28467AE552CB282C264DE86D391
            Function 00C7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: ab0c7990647e55ea6c7cf519296f1f91a365d85a9e9f6435948693b063607701
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: 0C912C72610A068FD735CE29C885666BBF0FF55364F24CA18E4BBDB6A0C375EA11CB10
            Function 00CFF7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fde78102f1f6ec2b7b5e98740e8d21ab6fe378d8a6fa4b730e3088b6b0b370ea
            • Instruction ID: d36f3b70b49f2c23fd9c5330dd6ae6ef5d25524b862a1b53ee9aa36a2509e018
            • Opcode Fuzzy Hash: fde78102f1f6ec2b7b5e98740e8d21ab6fe378d8a6fa4b730e3088b6b0b370ea
            • Instruction Fuzzy Hash: 4991F632A0020E9BDB54CF28C88077AB7E1EF45350F15857CEA64DB291D774EE02DB91
            Function 00CFF43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a37d95f11f09e66bd2dd9c249dcc240b9470ec861b42dc3f5ffe84a1f6b653
            • Instruction ID: 0d4ea6ff01115409e8f22a6214c353ee2cf494d8a187c8772d9e58fefbbe318d
            • Opcode Fuzzy Hash: 65a37d95f11f09e66bd2dd9c249dcc240b9470ec861b42dc3f5ffe84a1f6b653
            • Instruction Fuzzy Hash: C191BF72A101199BCF18CF69C8916BABBF1EF88310F1981BDE915DB396D634DA02CB50
            Function 00CF81CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02e227648d639a5d96df5e45fc03e1eff763e84bfe60f1ab99625723f877ca34
            • Instruction ID: 2348d9b159a536429c4001d2dad58886d5185e3d128c25459c029974c5322cfc
            • Opcode Fuzzy Hash: 02e227648d639a5d96df5e45fc03e1eff763e84bfe60f1ab99625723f877ca34
            • Instruction Fuzzy Hash: 3081C572E005198BCB54CF69C8805BEB7F1FF88310B25422AD921E7290DB74EE5ADB91
            Function 00C40E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 297dc98b7c5db22bf02cf4d99f5ddab4d3b263524470fc8b7f1582a0281690cf
            • Instruction ID: 501e77c8e609fd48e3589f3f06630566b42cb33854086fc0ce974caa4c73dcba
            • Opcode Fuzzy Hash: 297dc98b7c5db22bf02cf4d99f5ddab4d3b263524470fc8b7f1582a0281690cf
            • Instruction Fuzzy Hash: 5781B631A00559DFDB24CF6AC8849AEBBB2FF95310B38C2A5E9549B345D730EE45CB90
            Function 00CEE4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4d5064068f08bf8164acff62d35b31e676078bf5d362257affbe08773c25687
            • Instruction ID: 74564dc568d2259e5f2d4f173caf6bcae2dbacbc93a95146c009746838af9c7f
            • Opcode Fuzzy Hash: a4d5064068f08bf8164acff62d35b31e676078bf5d362257affbe08773c25687
            • Instruction Fuzzy Hash: FE81A172E002159BCB28DF99C4916ADFBF1EF98350F15816AE816EB385D7309E41CB90
            Function 00CEB52F Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
            • Instruction ID: 0ef00375a53e25f6bee8aee1dfc2249acd32d12c03b03b49a9757f723840ad71
            • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
            • Instruction Fuzzy Hash: 3971C935A012AA9BCF14CF66C4816BFB7F9BF94740F55411AEC11AB641E334DE81DBA0
            Function 00CFAB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: af0002c0f94a42b1375875cef691f37a891168807d0c3147c5dd4bc9c335c94b
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: 28817171A002099FCF58DF99C890ABEF7B6FF84310F148169E91A9B345D734EA01DB56
            Function 00C5D090 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction ID: c668d9dab5726c0b36797c9e0e836bd5e14a28581f5b13889dccd71058d00f7d
            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction Fuzzy Hash: EA81EF76E006198BDF24CF68C8857AEB7B2FF94311F24816ADC26B7340D6319E85CB95
            Function 00C6E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ebd0a3728a75c8bf54a1ab4ba7c462eb830ed4a15820f1a114dd644455f7d28
            • Instruction ID: 51b2b70bcc55ae4571024f5aafd217725bccd930eb5cb98a10d861f7dc6c411e
            • Opcode Fuzzy Hash: 9ebd0a3728a75c8bf54a1ab4ba7c462eb830ed4a15820f1a114dd644455f7d28
            • Instruction Fuzzy Hash: 72819F75A00609EFDB25CFA5C880BEEB7FAFF88354F10442AE555A7250DB30AD45DB60
            Function 00602660 Relevance: .2, Instructions: 210COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c98baebbe699514825a4b951c036e082ca6135986dc91cfade79c43775492c38
            • Instruction ID: 3880b10ac8ef5464c59f05be8ce0f13acb1e7771e78f95415197f7535bbdfc99
            • Opcode Fuzzy Hash: c98baebbe699514825a4b951c036e082ca6135986dc91cfade79c43775492c38
            • Instruction Fuzzy Hash: 1B619175B4010A8BDB1CCE58C8A46AEB3A3EFA4304F588179ED19DF7C1E631ED458B80
            Function 00C5B950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc60c6c07ac18908862f5de445ab4a5e600da99113d12a5a661b4d1e504d1eaa
            • Instruction ID: ab50654ff5e11617564c9865dfa45de427d9040cc57d32888fc2b3e4bd4b4d73
            • Opcode Fuzzy Hash: bc60c6c07ac18908862f5de445ab4a5e600da99113d12a5a661b4d1e504d1eaa
            • Instruction Fuzzy Hash: AB7146382042148EEB24CE2AC8447367BE1ABA4705F24855DFDA6CB1C5C735ED8AEB64
            Function 00CEDAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44292fee5882f042d0cf5210949fc6513ccd2b4865f515f48ac1ae32883228ce
            • Instruction ID: 12c808f1ba5cd00d503a4de10b9e962a79125b0e80f977b425df387be6782f0f
            • Opcode Fuzzy Hash: 44292fee5882f042d0cf5210949fc6513ccd2b4865f515f48ac1ae32883228ce
            • Instruction Fuzzy Hash: 8C818C70E007859FDB24CF6BC844AAABBF1FF59740F208459E4A6AB285D374D941EF60
            Function 00CF70E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e287bceda2215ffb7d9422908a045e8eba1fc612924a28c06d84cb9de65566cb
            • Instruction ID: 7e6e1eb9a3a8fa03b50274f5af5fede83fe53b8d6ae5853791697eb0f55e2f04
            • Opcode Fuzzy Hash: e287bceda2215ffb7d9422908a045e8eba1fc612924a28c06d84cb9de65566cb
            • Instruction Fuzzy Hash: CD61F871E0421EDBCB50EFA5C882ABFB779BF54300F104229FA25A7241DB74DE459B92
            Function 00CEF0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b952310e2feb7b4203fd0bd2a7c9a25914c7799ef8e0fa46f6840c0db8fa747
            • Instruction ID: 776540a757bf7a510370aa6247525a788c9d79d68ee3ccac7d65e8f5026550f9
            • Opcode Fuzzy Hash: 4b952310e2feb7b4203fd0bd2a7c9a25914c7799ef8e0fa46f6840c0db8fa747
            • Instruction Fuzzy Hash: A1719A39A017A6CBCB24CF5BC48017EB3F1BF94304B65447ED9A297240D374AE92DBA0
            Function 00CC62A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8e95ae37b078af2684741c153c973408c1bbecbe5877a14bc6dc8e1078c9ca97
            • Instruction ID: f4f9a176678fad0ba4a5f4750791ca96470db2178fdd58eb1bf1fae24cb34cbc
            • Opcode Fuzzy Hash: 8e95ae37b078af2684741c153c973408c1bbecbe5877a14bc6dc8e1078c9ca97
            • Instruction Fuzzy Hash: 6F71F032200B01AFDB35DF14CA85F6AB7E5FF40760F14892CE6669B2A1DB74EA44DB50
            Function 00CB035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: 32341a92d4e9bf5540427ae5399f24b58650bba2376a3f5973cd000fa14a7e73
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: E7716B71E00619AFCB10DFA9C985AEEBBB8FF88300F144569E905E7251DB34EA45DB90
            Function 00CF7A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 244ec8c1293e618aa3a5ab821906fcb88524e85b236cce4c779f43a2054a79aa
            • Instruction ID: 6b9135f36996e311d49c1f830bc2e13c6a5a8fe031fb66dbc2455b4a26344fb3
            • Opcode Fuzzy Hash: 244ec8c1293e618aa3a5ab821906fcb88524e85b236cce4c779f43a2054a79aa
            • Instruction Fuzzy Hash: B3513A75A0412D5BCB54DF69C880ABAB7F2EF88310B154269FE64DB385DA34CE02D7A1
            Function 00CF132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7ca315e675dbf6afb2be9de89f5c2e19fc40365e9c86a32173b2cd7733005a51
            • Instruction ID: cac02a028bef3c3bb9edcbefeb317e0f8fed08788b1b3901d812073982d71a70
            • Opcode Fuzzy Hash: 7ca315e675dbf6afb2be9de89f5c2e19fc40365e9c86a32173b2cd7733005a51
            • Instruction Fuzzy Hash: AA818275A00249DFCB09CF99C490AAEBBF1FF88310F198169D859EB355D734EA41CB91
            Function 00CF903E Relevance: .2, Instructions: 186COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3246e2e2071cc29eabad942d2178b83db0f3dc3255a40ef1e932258cc63764d8
            • Instruction ID: f92b8906e3f2b6f28f6679862aca531d930ad61fd0313e08c9f831c3f8dbfa86
            • Opcode Fuzzy Hash: 3246e2e2071cc29eabad942d2178b83db0f3dc3255a40ef1e932258cc63764d8
            • Instruction Fuzzy Hash: CF610571600719AFDB55DF65C884BBBBBE9FF88710F008619FA6983241DB30E905DB92
            Function 00CFFCF2 Relevance: .2, Instructions: 181COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9633c45e3803952ee49fd13caca995f28dab80ea2fcbaf286bdca66b0359acd3
            • Instruction ID: 4f4b53571266408e74e6706e4c0bfa7825f93e8dabf3dee073b14d3d4d89c591
            • Opcode Fuzzy Hash: 9633c45e3803952ee49fd13caca995f28dab80ea2fcbaf286bdca66b0359acd3
            • Instruction Fuzzy Hash: 06619D31A0020A9FCB94DF68C881ABEB7F1FF48310F20853DE615EB295D730AA56DB51
            Function 00CF92A6 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f89524460640a11124cd2965becd8128ca90ed4a2b3faf49b3359d2851b67043
            • Instruction ID: 591c6842ae5750e7209d2dd468945c005f7c76808e9491d3d06388a4aa3fe8b7
            • Opcode Fuzzy Hash: f89524460640a11124cd2965becd8128ca90ed4a2b3faf49b3359d2851b67043
            • Instruction Fuzzy Hash: DB6128316047868BDB55CF65C494B7AB7E0FF90304F18446DEA958B2A2DB31ED0ACB93
            Function 00CFCE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: 7746976dfb57980bc023b89e0283148b41f31a99b311ed4f697920e77e9a5e2f
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: BF51363270420E4BC780CE29899177BFBD7AFD0350F19846DEA66C7242DA30DE0A8793
            Function 006100B3 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: 53f9bc1081bc51d577751fddf960841cab2a18eedc1de0e84548242cd3d7a2e3
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: 305180B3E14A214BD7188E09CC40671B792FFC8312B5F81BEDD199B357CE74E9929A90
            Function 00C2B2D3 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6f8cf56c4ac7d2c446566e53578cb151f4b0deef0a5a9d8bd8b6843f4ebb076d
            • Instruction ID: b5ce5d3ee8172f4293db2e896428b8995e5693ea215873ee22bb8575f595faef
            • Opcode Fuzzy Hash: 6f8cf56c4ac7d2c446566e53578cb151f4b0deef0a5a9d8bd8b6843f4ebb076d
            • Instruction Fuzzy Hash: F84155316006109FCB26EF25E9C1B26B7A5FF54720F244429F969DB762DB30DD019BA0
            Function 00CAD5D0 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
            • Instruction ID: fa54016cd6b14afaaa846d51045f878fc7c2c1fa0fc7b141e74fec4d7a56411d
            • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
            • Instruction Fuzzy Hash: A15121762002039BCB11AF648C45A7B77F6EF8A348F040829F957C7651EB34CE96D7A2
            Function 00C6B570 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e0b876be5fdae1feabd43ca8c469dfdb7fe027b47693dc9e3584c313792aecda
            • Instruction ID: f05955e97b82d22e4a072d5583abced6f6ef50dcf3391e73ec4fb381d02740d0
            • Opcode Fuzzy Hash: e0b876be5fdae1feabd43ca8c469dfdb7fe027b47693dc9e3584c313792aecda
            • Instruction Fuzzy Hash: D951DF715043019FD730EF64CC82F6A37A8FB95324F10062DFD26872A2DB309986EBA5
            Function 00C595DA Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65b7fad0af368491331a321b5c5ca6314a3aced721e688d6dbad566b5c7cce06
            • Instruction ID: 13b07a272fa50780324a53a0d5cd3a2ca40dfb130eb2acbbebab8ff52b53f2ce
            • Opcode Fuzzy Hash: 65b7fad0af368491331a321b5c5ca6314a3aced721e688d6dbad566b5c7cce06
            • Instruction Fuzzy Hash: 53518F74900208EFEF219FA5CC85BADBBB4FF05340F60416AF995A7152DB719988EF14
            Function 00CF7D73 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a1444c8bbdf94453a549428eac5b11d545efb375bbb00de283df4eef67250e4d
            • Instruction ID: 46b62fa714abcc6ac31b7b4037f427c1c468cf87fb611af7ce44edcb5a21bef7
            • Opcode Fuzzy Hash: a1444c8bbdf94453a549428eac5b11d545efb375bbb00de283df4eef67250e4d
            • Instruction Fuzzy Hash: 6C51A176A1014A8FCB08CF68C880AAEB7F1EF98314F1582BAD915DB355E734DA15CB91
            Function 00C37152 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9842d4e4a48c4ee358fe6983f281489f04f1c88d907ee33520d938408cdea640
            • Instruction ID: 2ce0ff29eb93c948e7a48df57d2e6efac33f709ce021520f0f4eeff0855dec81
            • Opcode Fuzzy Hash: 9842d4e4a48c4ee358fe6983f281489f04f1c88d907ee33520d938408cdea640
            • Instruction Fuzzy Hash: 8C511372A14606EFDF25DFA4C949BADB7B0FF14311F244229E826A3290DB709A01DB90
            Function 00C6E443 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5a8b53003ffbecde42f34381fe6c260838d8108067d9a1a091fde47a91d07b41
            • Instruction ID: bfd7e91b84aaaee3e5d17ed21c86a85e03b17ab048d0a0db9360ff3d471b44c8
            • Opcode Fuzzy Hash: 5a8b53003ffbecde42f34381fe6c260838d8108067d9a1a091fde47a91d07b41
            • Instruction Fuzzy Hash: A9516771200A459FCB21EFA5C9C1EAAB3B9FB44784F50052AE91697261DB30AE41DB60
            Function 00C545B1 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction ID: 58245115a57144693adc7db66cf4faf4e18cce28ec2decf8adb6c3a1f5e74e95
            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction Fuzzy Hash: F151C279E00219ABCF19DF94C845BEEB7B5AF49355F044069ED11AB240D734EEC8CBA8
            Function 00CB3A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eae725e8b9de43bbce6d772a16481a91becba43030e524f6b493946521339eee
            • Instruction ID: 41bf090eec48f998a18fa63a1b7d2b496b9af4aaae72ec1e13e276e8a7473fc0
            • Opcode Fuzzy Hash: eae725e8b9de43bbce6d772a16481a91becba43030e524f6b493946521339eee
            • Instruction Fuzzy Hash: B5518D32E4016D4BEF25CA58E461BEFB3E2EB50310F440826E865BB3C4C6B66E46D564
            Function 00CAD800 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 920a8c4837d7e31e81661ee4890eed64fef5ba01edc0e4ae9cee7f2bf553671f
            • Instruction ID: eb4e9d2fc5e8c2ca497f95eb28d56d5559c172cd9eec8c41fa16f4d3866c3461
            • Opcode Fuzzy Hash: 920a8c4837d7e31e81661ee4890eed64fef5ba01edc0e4ae9cee7f2bf553671f
            • Instruction Fuzzy Hash: F251C370600216DBCB24DF69C480BBEB7B4FF46708B154169E953DBA80EB75DE50DB90
            Function 00CFD26B Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction ID: 486921f52d8c7b22afb2ec9e91f6d5f78d995cf61431b8641447585bdd8e9842
            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction Fuzzy Hash: 4E518D722083469FC741CF28C885B6ABBE6FFC8344F04892DFA9587291D734E905CB52
            Function 00CF7571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a269e9336642d61a623cfc491856916abc40679ac3ecfc2b7d7347cd73ac3f4
            • Instruction ID: 640d3d40581c9b072924faeb87101d1f36663bd00919a7d059f5af8dcb6732d9
            • Opcode Fuzzy Hash: 2a269e9336642d61a623cfc491856916abc40679ac3ecfc2b7d7347cd73ac3f4
            • Instruction Fuzzy Hash: 52511431A0421E9BCB55DF68C844A7EFBF9FF48340F154229EA21E7250DB70AE12DB90
            Function 00C351ED Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e4e029d21a78f24c8a94cad68ed5cd1dc95d57dc13771f6afe6b707460a5b878
            • Instruction ID: e7524c6d38a18d827bcd7c38209f89503de6acc4def6efc2ad4dc27e004adde0
            • Opcode Fuzzy Hash: e4e029d21a78f24c8a94cad68ed5cd1dc95d57dc13771f6afe6b707460a5b878
            • Instruction Fuzzy Hash: 1151AE71A21A15DFDF21DBA9C845BEEB3B4BF18354F240018E821E7261D7B5EE40DBA1
            Function 00C6A430 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d3067c1860149de9d624da4770feb8a8db90b481307a94c085b750133ac4970
            • Instruction ID: 91d5310dff797499afb31315e31386dca8aa93f1161402d3897cdd84e7055781
            • Opcode Fuzzy Hash: 3d3067c1860149de9d624da4770feb8a8db90b481307a94c085b750133ac4970
            • Instruction Fuzzy Hash: 3841D431640301EBCB38EF659CD2B6AB764AF55704F441028FE06EB352DBB19D419B65
            Function 00D035D7 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
            • Instruction ID: 844fec78910b6766ab5da24c62e426a7651d054ea47bfa0599b87fea0f9ce360
            • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
            • Instruction Fuzzy Hash: 01516DB1600606EFCB15CF54C581B56BBB9FF45304F59C0AAE9089F262E771EA45CBA0
            Function 00C601F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 676e4e4fac6ce9d7ae348725c289514d9722a7c91aeab0c0dab99ee37ec3035d
            • Instruction ID: 600edefceb8bd0c4c63f17ff688461b65a3479965975b9059c89ae91652e5154
            • Opcode Fuzzy Hash: 676e4e4fac6ce9d7ae348725c289514d9722a7c91aeab0c0dab99ee37ec3035d
            • Instruction Fuzzy Hash: 4441BD36E01219DBCB24DF98C490AEEB7B4BF88714F24816AE815F7350D7359D42CBA4
            Function 00C3D534 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5e99e87ab3b172f8e3362d4ce2f8b693eb952dddb6dd836ac2b2c6e6155d4063
            • Instruction ID: 9702a332aeb660e56efb59f0821eb515a0dbde1f9b3afa0b44b7dae288b856b7
            • Opcode Fuzzy Hash: 5e99e87ab3b172f8e3362d4ce2f8b693eb952dddb6dd836ac2b2c6e6155d4063
            • Instruction Fuzzy Hash: E851FF72A14680CFCB21CF59D848B6AB3E5EB80794F0904A5F8268B791D734DE40D761
            Function 00CAD1C0 Relevance: .1, Instructions: 135COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction ID: ea10962cade3ed15136034aecfbf536cd1d804674191a1d12558993ca7d782e7
            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction Fuzzy Hash: FE510975A00206DFCB18CF69C5816A9BBF1FF49318B14856ED82A97745D734EE90CF90
            Function 00C36154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c41367810619a26454576c0c579389c0e62b55ef5190a666436efd905d6eb398
            • Instruction ID: 12a3bfec2ffc7d3bde167669dc73cb3e7404e19625c10e2345eaa29112676b6c
            • Opcode Fuzzy Hash: c41367810619a26454576c0c579389c0e62b55ef5190a666436efd905d6eb398
            • Instruction Fuzzy Hash: 1C511470900256EFDB25CB64CC05BE9BBB1FF11314F2582A9E429A72D2D7359E81DF80
            Function 00C2B136 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1dacaf4666aacc724b60380eb23476e4c14fa6f348bfcbc9728acb325f0a6de
            • Instruction ID: da4a2e199d87aff481368bdd735eb7ad739060f02d9752bab1447a90b1231ad1
            • Opcode Fuzzy Hash: f1dacaf4666aacc724b60380eb23476e4c14fa6f348bfcbc9728acb325f0a6de
            • Instruction Fuzzy Hash: 8D41DCB1640711EFDB21EF65D881B2ABBA8FF10794F144429E921DBAA1D770DD40DBA0
            Function 00CFF0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dde1e932d59c162744cfc9459353d5eb94b5917f64ba1b98f9597800f0126109
            • Instruction ID: 09ebb94c476b60fad646fae7c6a5b7cb1bfce7e076a6ef535fadf001afd9a62c
            • Opcode Fuzzy Hash: dde1e932d59c162744cfc9459353d5eb94b5917f64ba1b98f9597800f0126109
            • Instruction Fuzzy Hash: A841B1712083458BDB04CF65D8A597ABBE1FF84715F0489AEF9958B382C730DD1ACB62
            Function 00CDD5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e6a448897bf8afcdb5ffb6ac70fd665dfa7cb1762c26ff502f04740a8dcfb2e
            • Instruction ID: 9a91b8c246dcce7d32a4fff485ac45efd45a7388792553fe841899960a722602
            • Opcode Fuzzy Hash: 1e6a448897bf8afcdb5ffb6ac70fd665dfa7cb1762c26ff502f04740a8dcfb2e
            • Instruction Fuzzy Hash: 30410530E082949FCB14CF29C4956BAFBF1AF59300F05889AF6D68B345C734A957DBA0
            Function 00C5A470 Relevance: .1, Instructions: 127COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b860d08a4d1d512e88bda5bf4838d7060860029535ae113f4eaee110224edb6f
            • Instruction ID: 295cfdab38ea05cb0393fa0c7817f408a04b8595171ec81b8febe76c4c73aae5
            • Opcode Fuzzy Hash: b860d08a4d1d512e88bda5bf4838d7060860029535ae113f4eaee110224edb6f
            • Instruction Fuzzy Hash: 1841F136900614CFCF20DF69D990BAD77B0FF68351F540255E821A7392EB309E85DBA9
            Function 00C2A020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 95aeb80af80001cddcb5015100145f4cbf0bfb898039643c71774a1c8c4f782a
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: 15417F35A00231EFCB20FF9598407BEB771EB50718F25806AEA568B641D7359F40EB96
            Function 00CFFFB1 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 892b611bb2cd09aa336ed2b62eaa7bea0379eb18a38aeaee6c4de9e25da2c324
            • Instruction ID: e8d750731274a9b2d1459016e3f8c509b97c062b557212b0ff41d26dfdf1a46d
            • Opcode Fuzzy Hash: 892b611bb2cd09aa336ed2b62eaa7bea0379eb18a38aeaee6c4de9e25da2c324
            • Instruction Fuzzy Hash: 5D413A319042556BCB00CB6584A07BABFF5EF85305F1DC0AAED859B382D739C906D770
            Function 00CFFA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 265ba198d3e2d1d5e47ed936dfde0d39a951f283ba33b96e567f7a378e10fcdb
            • Instruction ID: 8bfb5008b54c2a860cbb42034610ddbbd5d3b62d638d8aed82ceb84942343eb6
            • Opcode Fuzzy Hash: 265ba198d3e2d1d5e47ed936dfde0d39a951f283ba33b96e567f7a378e10fcdb
            • Instruction Fuzzy Hash: 4E31483270010A9BC758CF29CC44AB67BA5EF94710F18857CEA18CB285E774D947D3A5
            Function 00CFEEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ceddb1f39500e576896f07e6ab9ef28fe7c9a1bb9e71dca49bb855816ac5407
            • Instruction ID: 8f3ac30ad4726db6204464fba51fcaf3df4087774fc37b647b2a9b7c8323525e
            • Opcode Fuzzy Hash: 9ceddb1f39500e576896f07e6ab9ef28fe7c9a1bb9e71dca49bb855816ac5407
            • Instruction Fuzzy Hash: AB41A433E0412A9BCB18CF68D49157AB7F1FF48304B5642BDD905EB295DB34AE06CB90
            Function 00CB05A7 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ce7136634754ff26bdf836a5ac82b4eb0c04bba46cabc6cf60e22769e019ceaf
            • Instruction ID: a122f5e427c40a970146ec303fb2a4be100f1264797d594915081f3334422fe2
            • Opcode Fuzzy Hash: ce7136634754ff26bdf836a5ac82b4eb0c04bba46cabc6cf60e22769e019ceaf
            • Instruction Fuzzy Hash: F041C0726047419FC320DF68D841AABB3A9FFC8700F144629F8A8D7691E730EE14C7A6
            Function 00CFFB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 79466707fc8712da42cbf51a12d0bafbdc47f20db9876c905154f04d6125f8cf
            • Instruction ID: 0af67b082fbae4328d7e0d52264f7e1720a14c9a32b4f79a9ed077b4359a4d86
            • Opcode Fuzzy Hash: 79466707fc8712da42cbf51a12d0bafbdc47f20db9876c905154f04d6125f8cf
            • Instruction Fuzzy Hash: 2831E13261011DABD764CF29CC45AABBBE5FF88350F118438FA18CB241DA34ED02D7A1
            Function 0060E353 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: d050b7a457a9b9345c49105aa559b1f716a635c388bf004becca056f4d4d67d3
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: D43160116586F14ED31E836D08BD675AEC28E9720174EC2EEDADA6F2F3C4888408D3A5
            Function 00C402E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: b18f0cec32db2fa8c26a785c02e13dacbb3032b49751cb220905d36e55c54538
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: D0312432A04244AFDB219FA9CC44B9ABFE8FF04350F1485A5F865D73A2C374D984CBA0
            Function 00C59274 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0899e5a4f242379910fc5d46ff74318fc83ccb6a90da831d46d5799b2a211b93
            • Instruction ID: ffe70e23a7dabbda6439eb14b205ed6796fd11850b581cfaba282ca4ba9d5618
            • Opcode Fuzzy Hash: 0899e5a4f242379910fc5d46ff74318fc83ccb6a90da831d46d5799b2a211b93
            • Instruction Fuzzy Hash: 09318075A00628EFDB219B24CC40B9AB7B9EF85750F1101E9F94DA7290DB309E88DF95
            Function 00C34260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8adadef5ed9f6afedcb43eae053ab5c34dab4c05c9a894c2409051f52f59a73a
            • Instruction ID: 756cbc2672c603301447366ba02c60bc41492c6d13996c6be7cdc722e84a4e45
            • Opcode Fuzzy Hash: 8adadef5ed9f6afedcb43eae053ab5c34dab4c05c9a894c2409051f52f59a73a
            • Instruction Fuzzy Hash: CF41AE71100B45DFCB26CF24C889F96BBE9BB45714F248429F9A98B2A1C774E940DB60
            Function 00C550E4 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction ID: 5b4c39e11c22bc8fc84d1d2f237df79f4766d728c24e5d72b48b1f8088a3bc71
            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction Fuzzy Hash: D8312435608A419BDB20DA29C82076BBA94AB84795F088129FC958B2C1D374CEC9D796
            Function 00C2B480 Relevance: .1, Instructions: 100COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc1118db1541bc550b0db059d396a50b89cb1a28dc043c9ff09a671197f140f8
            • Instruction ID: 2ac7f78c7cca1193ae4f4d32c4dc6d0f4f560b5058abd63906abb3a988374eba
            • Opcode Fuzzy Hash: bc1118db1541bc550b0db059d396a50b89cb1a28dc043c9ff09a671197f140f8
            • Instruction Fuzzy Hash: C231F172500314AFC721EF14E880A6677A5FF85364F544269FD558F692D731EE42CBE0
            Function 00CF61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 752371af4b0f97d48090009fb177ff9d139eadcea3c4ef99e53d4fbcc02709cd
            • Instruction ID: c78f850727252cf5fce6c8b733914463970a7ed3b01c5cdaa8db676fe5fa50d2
            • Opcode Fuzzy Hash: 752371af4b0f97d48090009fb177ff9d139eadcea3c4ef99e53d4fbcc02709cd
            • Instruction Fuzzy Hash: A631D076A00219EBDB15DFA8CC81BBEB3B5FB44B40F454169E910AB241D770AD01CBA0
            Function 00CF6BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5d9556a95a7ec242212b7ce794abab24dd9794083c63db2ef53a9beb1ec0b3c9
            • Instruction ID: 1a078eeb76d94a7c5437707dd15d00f5f30292b8937efa3fb5cbe5b6839669d5
            • Opcode Fuzzy Hash: 5d9556a95a7ec242212b7ce794abab24dd9794083c63db2ef53a9beb1ec0b3c9
            • Instruction Fuzzy Hash: A3318C316102049FCB64CF69E985A5B7BF4FF48300F458469F948DF28AD270E945CBA5
            Function 00CF60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f6d8c4113123781297b608ae46fab2eeb08cdf8e8e1de8a996275bb09c127365
            • Instruction ID: 9f95044ac1b380adf3c25ce2a14c69d775ac5d5fbcf463a6f276b94888e86970
            • Opcode Fuzzy Hash: f6d8c4113123781297b608ae46fab2eeb08cdf8e8e1de8a996275bb09c127365
            • Instruction Fuzzy Hash: D5310531B00619AFDB12EFA9CC51B7EBBB9AF44354F108069F605DB352DA30DE019BA1
            Function 00C38550 Relevance: .1, Instructions: 94COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b6c656b5baabd098aeff356163bf26670b6129ed6e4ca57851e66915471c274
            • Instruction ID: e534fa3d91783c55f557fef949399195be9fc41a05e68dabad86b6654600fab0
            • Opcode Fuzzy Hash: 5b6c656b5baabd098aeff356163bf26670b6129ed6e4ca57851e66915471c274
            • Instruction Fuzzy Hash: BE319A716193019FE721CF19C844B2AB7E4FF88B00F14496DF89997291DB75EE48CBA1
            Function 0062EDE3 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b92a1c8c3cb5d5baf6a045173c5b3dcc562281d671405b59d032712691c9544
            • Instruction ID: c0eec7c60cf1b6a1c40879e522987420a4966310819be5071a74c6ffe3e338d9
            • Opcode Fuzzy Hash: 6b92a1c8c3cb5d5baf6a045173c5b3dcc562281d671405b59d032712691c9544
            • Instruction Fuzzy Hash: 1D31DF72B10A265BD354CE3AE880256F7E2FB88310B558639DA18C3B40E775FDA1CBD0
            Function 00603220 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3032808655.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Offset: 00600000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_600000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 046be41b61721f51deb1aad13fcc38088d1195b6ca77e1703c2580996be7879f
            • Instruction ID: 43b09e006289e6fc414f3b9c1e01b6e25c8f2f3cce1d24de1bbdd06a4633097f
            • Opcode Fuzzy Hash: 046be41b61721f51deb1aad13fcc38088d1195b6ca77e1703c2580996be7879f
            • Instruction Fuzzy Hash: 67316F72A14A204FD3B8CE7DD985643F7E5BB88350B45462EE94AC7B80D774FD018B84
            Function 00C87190 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction ID: 422949d7479809d046daacf8339dcd95d55d2b66debe4dc7c23cd9427037d5a3
            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction Fuzzy Hash: 9531AC75608206CFC710CF18C48491AFBF5FF89314B2586A9F9589B315EB30EE06CB95
            Function 00C392C5 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction ID: 6ab990f74c3645fa9b28bca80226828d079bb0cf8e12187a3a6a909b38574c88
            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction Fuzzy Hash: 233198B26082499FCB01DF18D881A9ABBE9FF89310F00056AF895973A1D730DD04DBA6
            Function 00C5438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 016cfd17f79b16435514b6d125a8d51b86a7b07c64ec974996095d2dbd6ec786
            • Instruction ID: 58498aaf3e16d07eae0960f33b012e6efdc7a8957780992c7281076832b05b4b
            • Opcode Fuzzy Hash: 016cfd17f79b16435514b6d125a8d51b86a7b07c64ec974996095d2dbd6ec786
            • Instruction Fuzzy Hash: 1031D335B002059FCB28EFA4C985B6AB7F9AB80309F008529E805E3291D730EDC9DB50
            Function 00C2C156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0aac0e07c0e89e2e74d2c3c4fd72b489565ca40441a2c29e60ddc5a66eab66e1
            • Instruction ID: c815b4e00a70168bf1794147a15a62f59715509f1e19d86ce28a8520216216d9
            • Opcode Fuzzy Hash: 0aac0e07c0e89e2e74d2c3c4fd72b489565ca40441a2c29e60ddc5a66eab66e1
            • Instruction Fuzzy Hash: DF31E8715003109BC730BF14CC42BA977B4EF50318F5485A9FD4A9B386EA34DE86DBA4
            Function 00CEC3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: 01c4e24414af7438f724fec37371711fe5dc5a94d320fbe68d6c9bdfe8ae08ea
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: A7213D36600695B7CB24ABA6CC91ABBB7B4EF50710F40C01AFDA5C76D1E634DD41D360
            Function 00C2E420 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6fce93ff372d1e50d93bf8f6e9e0350b28f00de2cc50b8ba86e8d608f0cdb06c
            • Instruction ID: c6064aff68011508a55a0a62482e346e1f2a2deb69194c106efc8419690b2b75
            • Opcode Fuzzy Hash: 6fce93ff372d1e50d93bf8f6e9e0350b28f00de2cc50b8ba86e8d608f0cdb06c
            • Instruction Fuzzy Hash: 4F31D132A0152C9BDB31EF54DC42FEEB7B9EB15740F0101A1F655BB290D6B4AE809FA0
            Function 00C644B0 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc20915ee94593fca93cdc0567d00af56fb73fe07f130b571d3803053cbf077e
            • Instruction ID: 0d4c1af7a56366a97666af4e97dc66ac5c426b58667f368bb9677c34f10edfd8
            • Opcode Fuzzy Hash: dc20915ee94593fca93cdc0567d00af56fb73fe07f130b571d3803053cbf077e
            • Instruction Fuzzy Hash: 2921D0726047459BCB26DF59C881B6BB7E4FF88760F004629FC5A9B241D730EE01DBA2
            Function 00C64588 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction ID: a1fb0eabaec806d099ad2335bfc1dd1839fb8f57183c83f628efbd2bcbfa32c1
            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction Fuzzy Hash: B2217131A00608EFCB29CF58C9C0A8EBBB5FF49714F108065FD259B241D671EE459B90
            Function 00D003E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0ad8610bb4cccf18120d3f140d47730ddd3552f534022ac0f4958753a2aee821
            • Instruction ID: b00b44d441ed4a8856c18ae40656f922b020c36c44c0fc3ebdeef847053ec85a
            • Opcode Fuzzy Hash: 0ad8610bb4cccf18120d3f140d47730ddd3552f534022ac0f4958753a2aee821
            • Instruction Fuzzy Hash: 8C314171A00219BFCB15DBA5D894B9FBBB9FB88314F054129E919E7240DB70AD05CBB4
            Function 00C2E388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: 93f843d371e008aa55fc1c43fb9970942ab0d3176ee2bc847eb7fddcf5a9a578
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: E331CB31600654EFD721DFA9D884F6AB3F8FF84314F2044A8E5529B691EB30EE02DB50
            Function 00C6D530 Relevance: .1, Instructions: 85COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc6b4bf7d5adec79333e92fd41ad285a12a14a2c340b71f306ee08db39bbafcd
            • Instruction ID: 69bd6b4769e1c8fdeebf42f57ad208d30919f49960048bbb38cb5a53c1bb6c9d
            • Opcode Fuzzy Hash: cc6b4bf7d5adec79333e92fd41ad285a12a14a2c340b71f306ee08db39bbafcd
            • Instruction Fuzzy Hash: 3521E5B1A043519BC730EB68DD82B1B7BE8EB95758F000825F915D7791EB30DD04D7A2
            Function 00D00591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc0da28453a9b92c003ea70d18316afb6ebccd4f2ce224d0465864a0dab197ae
            • Instruction ID: 95c188aee49b873a4f58c8f1279481c3966527c38cf236484937480faecf035c
            • Opcode Fuzzy Hash: bc0da28453a9b92c003ea70d18316afb6ebccd4f2ce224d0465864a0dab197ae
            • Instruction Fuzzy Hash: 5D21C1326002059FD728CE29CC847A67BA2EFD4300F994438E949C7285D731FC55CBA0
            Function 00C5F32A Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction ID: bde6ce035c71bb8d964522f1e77e3927875d697e69e3b44087b88ee41c065d3c
            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction Fuzzy Hash: A62101762002009FD71DDF15C481B2ABBE9EF85362F10417DE81A8B3A1EB70ED46CB98
            Function 00CB019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8de57645b14f6f141ad8dfd7c425aa709c8fc3680ee71f79e5b83ce94dd4e72d
            • Instruction ID: d7d6655e00827fc80665f3b8dc0ba3fbb53550a58f561d06be1fda7f1754002c
            • Opcode Fuzzy Hash: 8de57645b14f6f141ad8dfd7c425aa709c8fc3680ee71f79e5b83ce94dd4e72d
            • Instruction Fuzzy Hash: 0821AE71A00644AFC715DB68D844F6AB7B8FF88740F240169F904DB7A1D638EE40DB68
            Function 00CB0283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd7447062c6e6e075a3a3048efd9589892207029caf9ee0888bd2890f1cff0a3
            • Instruction ID: 92a5f2fb3331bc81f9661f26a69d72cbb3827d71d71518859f7859fe8a8164d5
            • Opcode Fuzzy Hash: cd7447062c6e6e075a3a3048efd9589892207029caf9ee0888bd2890f1cff0a3
            • Instruction Fuzzy Hash: 4621B0729047859BC711EFA9C848BABB7DCBF90344F184566BCA0C7262D734DE48D6A2
            Function 00CAD0C0 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction ID: c9443b981e3c064deb14322c82903a837280be2a358bf5a01281584b7c950343
            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction Fuzzy Hash: 2E210472644701ABC3119F19CC42B9FBBA4FF89724F10022EF95A977A1D330DD0197A9
            Function 00D001AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8864173948f528370b32666a12d5c24140410b308ce6ec7a9244a9943ba23db0
            • Instruction ID: 495ce51b91f6385fa2a4cef606c9be459d8af517bec27c937ee9d2066ce985ef
            • Opcode Fuzzy Hash: 8864173948f528370b32666a12d5c24140410b308ce6ec7a9244a9943ba23db0
            • Instruction Fuzzy Hash: A221B7612041545FDB05CB6A98B45B6BFE9EFC6215B1981E6D988CF343C6349D06C7A0
            Function 00C6A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc4fa29ea4d6c2ad9bdce38d2cf8d0a2e74c57f95e8210b8e16270592c3e9506
            • Instruction ID: 21c521b8d7e6007afaca21fe7218b69f5fbd1f3690707dd1905ec2e585e3f4fd
            • Opcode Fuzzy Hash: bc4fa29ea4d6c2ad9bdce38d2cf8d0a2e74c57f95e8210b8e16270592c3e9506
            • Instruction Fuzzy Hash: 6321A935600B519FC724DF29CC41B46B3F5BF58B48F248468A519DBB62E331E942DF94
            Function 00C515A9 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
            • Instruction ID: aa9e09d667cce4e5f679842b16ffc5296512a8786f9c0983465fa28643c6b2be
            • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
            • Instruction Fuzzy Hash: 4B210571A04685DFDB128B59C94CB6177E9EF80740F1900A1EC058B292F778DE40D796
            Function 00CFEE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 55bb711eba57a340409295dfe8f74d152e758b109a04fd8edc839852e9d9bba1
            • Instruction ID: cab26e160e4b3428b6dd9cbb44d911588f55071abebed8864de2cc3d62d58ec0
            • Opcode Fuzzy Hash: 55bb711eba57a340409295dfe8f74d152e758b109a04fd8edc839852e9d9bba1
            • Instruction Fuzzy Hash: 6621B133A109159B9B28CF3CD80446AF7E6EFDC31436A427AD912DB2A4D770BD128A84
            Function 00C60124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: f3cdf4dd216b8f43b17e688ce480e8c928ba39c182f2a82172947aae5e626557
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: AB11EF72600604AFD7229F84CC81FAFBBB8EB81754F204029F605AB180D675EE44DB60
            Function 00C380E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9aa9da091e24a8c99fb8ebb0fc984b52c8dc582d3448087c3f821ea933a77bbc
            • Instruction ID: 08b4aa45c4716700567e9bf626b2878138ee19a2d8cd4ff3f6512a4d6d1f58e9
            • Opcode Fuzzy Hash: 9aa9da091e24a8c99fb8ebb0fc984b52c8dc582d3448087c3f821ea933a77bbc
            • Instruction Fuzzy Hash: 46215B75A10205DFCB14CF99C581AAEBBB5FB88318F34416DE105AB351CB71AE0ACBD0
            Function 00C29240 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b79629b9b53edd947e87aa03489774c5a292a45fb5dabbbf9f42eeceb8ab8654
            • Instruction ID: 1e738c31bdc8588665b7b95d007b03a14a03378e6fb11bc53f716ccc202cdc25
            • Opcode Fuzzy Hash: b79629b9b53edd947e87aa03489774c5a292a45fb5dabbbf9f42eeceb8ab8654
            • Instruction Fuzzy Hash: 4611DD7A020340EBD730AF61ED01A7237A8EBB8B84F204029E800D7760E238DE02CB74
            Function 00CFFF09 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6361303950e4b5f54aec4046ae4ba007694f7d5533495a272709fa5f2b1ad6c
            • Instruction ID: 21988c634493c94a17cb7769e2a4b3c6f35f33a255af96c5670f8407bc89d54a
            • Opcode Fuzzy Hash: d6361303950e4b5f54aec4046ae4ba007694f7d5533495a272709fa5f2b1ad6c
            • Instruction Fuzzy Hash: EE217FB1A102059FD754CF29E880A42BBE4FB4C310B458ABAE90CCF256E370E845CBA0
            Function 00C5B052 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d77e3f2f901ab5609f8776d869636eac8f065d38de82b1eadf76e31aded76513
            • Instruction ID: ea6a887a2dd483dc26d4aacfe7108036d98c0e3e5764734e57271e3392ca9355
            • Opcode Fuzzy Hash: d77e3f2f901ab5609f8776d869636eac8f065d38de82b1eadf76e31aded76513
            • Instruction Fuzzy Hash: 1101FEB67003006BD710AB6A9C41F6BBBF8DFD4315F040024FA05C3181DB70ED44D625
            Function 00C27330 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b33e2394e6a71cf6344bf0ee49b48d7beef85ea99c9ab937a04b7c55218f0d9
            • Instruction ID: 428eb06bd5038b3e0a0f1742f73848b44505f6b5a526d923cfaf693ea633d4da
            • Opcode Fuzzy Hash: 2b33e2394e6a71cf6344bf0ee49b48d7beef85ea99c9ab937a04b7c55218f0d9
            • Instruction Fuzzy Hash: 7A11AC71604724AFD721CF69D881BAB77E8FB44304F018929EA95CB621D735ED01EBA1
            Function 00C5E53E Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction ID: eb8550c58ac826b75d03f0ec1cf2d3caf857d4854aaedf2bb08240f421f47097
            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction Fuzzy Hash: 40112B766056C19FEB229729C958B2537D4FF41748F2A00B4ED55C7642F728CF83E254
            Function 00C5F2D0 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 67bb4d5d91c42e98ea3200c8dfbf973bc013151b530c95911eeb9d32a1c8da0d
            • Instruction ID: d17978bfa649e2fbe7560ba76d128c805c12f718edf260d08620d28da5e4e752
            • Opcode Fuzzy Hash: 67bb4d5d91c42e98ea3200c8dfbf973bc013151b530c95911eeb9d32a1c8da0d
            • Instruction Fuzzy Hash: D1112171A006889BD720DF69C884BAEBBA8FF45700F24007AE905EB252DB38DE41C764
            Function 00CC72A0 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction ID: 16866406550b1050d92ebfd1e3c56cfa8a8ebc35a56159a8ac74b3ee57374027
            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction Fuzzy Hash: 9001F172140509FFE711AF16CC81F62FB7EFF80391B004629F224425A0C731ACA0EBA4
            Function 00C2A250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: 104c4a6ab5ddba1782725fb83f9cf3780012754146508b3c46c25c0699934fcd
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: C4012631404B21EBCB308F15E840A327BA5FF55760700892DFCA9CBA81C735D900DB61
            Function 00CAE1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 10fb59dcefc21b049658c120b8aa6608ef097b07f217b0b5038a6cb8cb51981e
            • Instruction ID: 10fc69ddb9f617b86fc7c1cc85e781239ea1c4850fc7fa84396c3590f85e348c
            • Opcode Fuzzy Hash: 10fb59dcefc21b049658c120b8aa6608ef097b07f217b0b5038a6cb8cb51981e
            • Instruction Fuzzy Hash: 3211AD32241240EFCB15EF19CD81F56BBB8FF48B88F2400A5FD059B6A2C235ED01DAA0
            Function 00C36259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 42152592bdf634046af03c40a0043cbc55261aaf3d34d70d22e5ab9eb71b83bd
            • Instruction ID: 53fc409d05713ec694e998d29a03835bc0a3aa5496950e4cd67cd63373eeed48
            • Opcode Fuzzy Hash: 42152592bdf634046af03c40a0043cbc55261aaf3d34d70d22e5ab9eb71b83bd
            • Instruction Fuzzy Hash: CC115A71541228ABDB25AB64CC42FE9B374EB04710F5081D4B329A61E1DB709E81DF94
            Function 00C3208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: 6b1800565191069a2c94df393aaa6d417100511bdf483b07930e31d95b0d7b10
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: ED017B336102108BDF28AE29D880FA67766FFC4700F1540BAED25CF246EA71DD85D3A0
            Function 00C720F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b36e875f0e9d76d96c06d0a659e9bd5ac065fd63cc7b46a5441b58197d21a93
            • Instruction ID: cd08b1e181a59c2a05f406d5048bd0e4d32397c2b7e5f52c3789a1af78c72f2d
            • Opcode Fuzzy Hash: 6b36e875f0e9d76d96c06d0a659e9bd5ac065fd63cc7b46a5441b58197d21a93
            • Instruction Fuzzy Hash: 1D116931A0120DEBDB05EFA4C851AAE7BB5FB44344F108059FA169B290DB35AE11DB91
            Function 00C2C020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: f14452dc1188cb80b9f96b795108cecb2abcb4e435b8b80b9afb37aa3bed7aa7
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 30012872100745DFDB32A666D840FAB77E9FFC4354F14481AB9578B980DE70E941D760
            Function 00C6E5CF Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ce1db5fc5bb389203794f8f4db40e9c67cc8039b79388b9eedddfe578ea22f3e
            • Instruction ID: ece0de081c8b7535d62730a268c8d977c84710af4651bc8e661ca5a8cea62b61
            • Opcode Fuzzy Hash: ce1db5fc5bb389203794f8f4db40e9c67cc8039b79388b9eedddfe578ea22f3e
            • Instruction Fuzzy Hash: B201A271201A51BFC311BB79CD86E57BBACFF857A4B000626B50593692DB34EC01D6F0
            Function 00C29353 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction ID: 21f047582757e7f94e97f4940c1413614a072462ef4e3d24e833b0a43df91418
            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction Fuzzy Hash: 37116D32511B21DFD721DF15D880B22B3E4FF907A2F15886DE4994A9A6C375EC81DB50
            Function 00C6D1D0 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction ID: f1e423f223f4100ac9a413257c3f1259a072285d17cb4661aa90a23653ef0742
            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction Fuzzy Hash: 5F0147B2F041049BD7209A55E851F6673A9EFC4724F208115FE278B280CB34DE00C7A0
            Function 00C533A5 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction ID: eb1de4242b83ea669b4ccd0d64c712eaeddc01402a61c5c893ab0d804693f27c
            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction Fuzzy Hash: 9D014436700140ABCB12CBAACC00E9F7FACAF80781B100029BD15DB120EB34DF86D768
            Function 00CEF453 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4bb53a54c1fd6106964972b54216c0d462f32a4cdb85f34f6aaf990f4523477
            • Instruction ID: 331185d54889cbcd6bab7590e3801de5752707716fb91712d52d39260ed683c5
            • Opcode Fuzzy Hash: d4bb53a54c1fd6106964972b54216c0d462f32a4cdb85f34f6aaf990f4523477
            • Instruction Fuzzy Hash: 48017171A10248AFDB14EF69D846FAEBBB8FF44710F00806AB904EB381D674DE01DB95
            Function 00CEF5BE Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5a836743b64cb4d596e7b87b67c5f1f62dbccd7f293e532e1bd4903f3335189b
            • Instruction ID: 3f6aef7b793ace5f308b6a3f77676518684d68b9f447ae0963e98273964cad37
            • Opcode Fuzzy Hash: 5a836743b64cb4d596e7b87b67c5f1f62dbccd7f293e532e1bd4903f3335189b
            • Instruction Fuzzy Hash: 0B015E71A11248ABDB14EF69D846FAEBBB8EF44710F00806AB904EB291D674DA01DB95
            Function 00C4E016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: 3595697d86648f552098514a0ae955e38d0188b41c3e7996eb02dee5ae224052
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: 74017C322005809FD322961DC948F3677D8FF45754F0E04A1F825CB6A2D678DD40D625
            Function 00C2826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 23bfbe1b711c82ece1540d0468d76a6253376465743ec3bf4368ef8e6f69acd7
            • Instruction ID: 845f5223a3a95837a413a75e8f20ee8351f006e8a4e5d30f98d34e181ce935d5
            • Opcode Fuzzy Hash: 23bfbe1b711c82ece1540d0468d76a6253376465743ec3bf4368ef8e6f69acd7
            • Instruction Fuzzy Hash: 8201F731701614DBC714EB66EC119AF73E9EF40710F194069A902E7A51EE30DE05D690
            Function 00CEF367 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0397d7fda8b52099e324e377f4d6ed3ff0ca25c11ab2c15a2a61d80c727283c0
            • Instruction ID: 2b93f8b58a2720ed9d9853adb7d46f99b80cc6034096b3e4f118a410c2be701d
            • Opcode Fuzzy Hash: 0397d7fda8b52099e324e377f4d6ed3ff0ca25c11ab2c15a2a61d80c727283c0
            • Instruction Fuzzy Hash: CF018471A10258EBDB14EBA6D816FAE7BB8EF44700F00406AB504EB391D674DE01D7A5
            Function 00C32582 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3b8b0ab3f63793f99e4e8a51e88e502fb10303c31995e6d4d7dbdb14b4dded98
            • Instruction ID: 57e9a202f55bf12892442eac715163db3a7fb3eeb969942e1df3a23245d6bc06
            • Opcode Fuzzy Hash: 3b8b0ab3f63793f99e4e8a51e88e502fb10303c31995e6d4d7dbdb14b4dded98
            • Instruction Fuzzy Hash: ABF02832B51B60BBC731DF568C40F17BAADEFC4B90F104029B60597640DA30EE01DBA0
            Function 00D050D9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c063dfaa3432d6ffa555d1052440c7a129350bd0abfa8b7f1415404a5230234a
            • Instruction ID: 929eed4760e06c610481bbd1b8e3a91cb6bca1a2d97c79dad86e05402019a693
            • Opcode Fuzzy Hash: c063dfaa3432d6ffa555d1052440c7a129350bd0abfa8b7f1415404a5230234a
            • Instruction Fuzzy Hash: DB017171A00309ABCB00DF69E941ADEB7B8FF48300F10405AF904F7381D774DA018BA1
            Function 00D05060 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c38abe39faf8ff043b2de2f201a5c97e73b16f8c8dcf593b38bd93231258a344
            • Instruction ID: 83c5401813daf2b5f912e2ea148e12bd4f60b1666756b184eb7992da1e70edd8
            • Opcode Fuzzy Hash: c38abe39faf8ff043b2de2f201a5c97e73b16f8c8dcf593b38bd93231258a344
            • Instruction Fuzzy Hash: BD017C71A10249ABCB04DFA9D941AEEBBB8FF48300F10405AF904E7381D734EA018BA1
            Function 00C5C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: db19a67715d18e86c6b6e4e906d831a8921e165f90036e64c253b4eb43fb427f
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: 23F0C2B2A00A10AFD324CF4DDC41E57F7EAEBD4B80F048128A919C7221EA31DE04CB90
            Function 00D05152 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 258bdd1d2f153782ca8344dd44d1cab5033d3abd1dfe1fe33f2a92f3e2341f01
            • Instruction ID: 6f0580b4449540b582384503efc545d7cf032cd39eee28777a1626c1bc6b0ef4
            • Opcode Fuzzy Hash: 258bdd1d2f153782ca8344dd44d1cab5033d3abd1dfe1fe33f2a92f3e2341f01
            • Instruction Fuzzy Hash: 3E012C71A10249ABDB04DFA9E941AEEBBB8FF48310F14405AF904E7391D774EA019BA5
            Function 00C2C310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: 342f3c4f06fe1019c3b1f3c4bed3a049224c95de094796dfec4879fb02c2392c
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: FAF021332446329BD7329659E8C0BFFA6958FD5BE4F2A4435F1199BE10CAB48C01B7D1
            Function 00D05537 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5271a34461e7a00b4219566be9a8acecc7276709f817237835dc04af66955ec
            • Instruction ID: b63a4c562868d40c32cbf6ebf9699d8caddd347d0e385f7ee95bc6545e6d4ccd
            • Opcode Fuzzy Hash: c5271a34461e7a00b4219566be9a8acecc7276709f817237835dc04af66955ec
            • Instruction Fuzzy Hash: 48111E70A10249DFDB04DFA9D945B9EBBF4FF08300F144266E508EB382D634D941DB50
            Function 00D061E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f95c66bd5ac596a933db27f3e79264638a4995748074930e226d0176265f5aa8
            • Instruction ID: 955054d8186bcff35a21a7adcad5ab5c13bb92c5beb2e523ed6107aca6bbeba3
            • Opcode Fuzzy Hash: f95c66bd5ac596a933db27f3e79264638a4995748074930e226d0176265f5aa8
            • Instruction Fuzzy Hash: 6D017C71A002589BCB04DFA9D845AAEBBB8BF48710F14405AF504AB280D774EA01CBA9
            Function 00CEF2F8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 464d20979912802af8cf531594ebdaa84c1056fa63aaf53bebca8af46a5a13fc
            • Instruction ID: 9088a0391cd338c19552bb0a11b7e56cdfb586228b615102d9af6ff9dc41413a
            • Opcode Fuzzy Hash: 464d20979912802af8cf531594ebdaa84c1056fa63aaf53bebca8af46a5a13fc
            • Instruction Fuzzy Hash: 6CF06872F11388ABDB14DFBAD805AEEB7B8EF44710F00806AF551E7291DA74DA019761
            Function 00C6724D Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction ID: 63b04b13e796a26e954f797e31de670b9729c4c597ffb651cd621c2c6ffd6d36
            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction Fuzzy Hash: 0AF04671A05255EBEF30D7A98980FAFB7A8EF80714F098A55BD0197141DA30EE40C660
            Function 00CBA4B0 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 279096e27d810213a5ec913b69e0c6b03e973ecf2b3218fbba74f1072495bda7
            • Instruction ID: 3649a805594c0704054b60e015fa94887ee85b890d3cceffe8f2ffea0543f3d9
            • Opcode Fuzzy Hash: 279096e27d810213a5ec913b69e0c6b03e973ecf2b3218fbba74f1072495bda7
            • Instruction Fuzzy Hash: 40019C36100609ABCF229F84DC40EDE7F66FB4C754F058101FE6866220C232DA71EF81
            Function 00C2C0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20adb1002d98af14379c54a5d1be0c40090f44d89736e57756fc813dbbcf5ce0
            • Instruction ID: 3ad3eef5887c11d47eab712582901e3420ccbb9fac6914bb1bf3cf7113c6cc85
            • Opcode Fuzzy Hash: 20adb1002d98af14379c54a5d1be0c40090f44d89736e57756fc813dbbcf5ce0
            • Instruction Fuzzy Hash: 51F02B716042205BEB149619EC43B6A3295D7C0751F258036E6158BAC2E970DD11C394
            Function 00D053FC Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1be70d976ef656fbe1a90257c84936bf4324e074146d8d81d80da7e2ce3fe7fb
            • Instruction ID: 6185da801c8b0ff982876dd6bec931a0c2c8e77bb51512b7355c14213204899f
            • Opcode Fuzzy Hash: 1be70d976ef656fbe1a90257c84936bf4324e074146d8d81d80da7e2ce3fe7fb
            • Instruction Fuzzy Hash: 4E011A70E00249DFDB04DFA9D545B9EB7F4FF08300F14826AA519EB382EA74DA419BA1
            Function 00C6656A Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a1510bf8c6f4ceae842dd8cc62c8159a2bd66ea0437d50005bf94874201e7341
            • Instruction ID: 4109adbe9cb34717b4bc92b39e6703136593ced18977d0bb8ab0eee4638dc9cb
            • Opcode Fuzzy Hash: a1510bf8c6f4ceae842dd8cc62c8159a2bd66ea0437d50005bf94874201e7341
            • Instruction Fuzzy Hash: 3601C870601BC19FE7369729CD8AF2537A8BB81B04F584194F913CBBE6D7A8DA01D614
            Function 00CD437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: dae448ed28617f2f8573cb833e2692962cb6cd11d8df959cd914400d7af2a137
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: B9F0E935381E1247D73DAA6E8420B2BA255AF80B00B05052EA721CB760DF30DD009790
            Function 00C292FF Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e519507704d19f9407a3c62f7b696ea77994427540cb7c128faf59fc42dffdc9
            • Instruction ID: a300f1ea102241566ce3a25b40477a930d801273514c22ea1a367ff50ebd1bfc
            • Opcode Fuzzy Hash: e519507704d19f9407a3c62f7b696ea77994427540cb7c128faf59fc42dffdc9
            • Instruction Fuzzy Hash: ECF0FA32200340ABC731EB09EC05F9ABBEDEF84B00F080129B942935A1C6B0AA09C660
            Function 00CEF3E6 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f3d3d601d8df61a6029c231ada6f57d5c93b5e20b707dd91d33b67e2e110d974
            • Instruction ID: 6149eb276ece073384b20b517a3a4794010d9e68e0fdc6ab54d03a94574f3e88
            • Opcode Fuzzy Hash: f3d3d601d8df61a6029c231ada6f57d5c93b5e20b707dd91d33b67e2e110d974
            • Instruction Fuzzy Hash: F0F04F71E01248EFCB04EFA9D545A9EB7F4FF48300F508069B945EB392D674DA01DB55
            Function 00D055C9 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07022cd03474bb40a0aeacc8cdb6d23ee8290fcc82962ee4294898ca6496c4a3
            • Instruction ID: bed2865c13b1f21b473a270408a41a43f3749abc6cb294a7e63a9bd261fa9ab6
            • Opcode Fuzzy Hash: 07022cd03474bb40a0aeacc8cdb6d23ee8290fcc82962ee4294898ca6496c4a3
            • Instruction Fuzzy Hash: 13F03C74A10248AFDB04EFA8D545A9EB7F4FF18300F508459B849EB381D674DA00DB65
            Function 00CF0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a3126918c5cf6687fd15cd5d49634a1c77da7d2fc6f9c64955a177e083d2751
            • Instruction ID: ab69f928e392d6b0e089f374297c456a20e3ee4137b41240b51fec1da2af5a38
            • Opcode Fuzzy Hash: 9a3126918c5cf6687fd15cd5d49634a1c77da7d2fc6f9c64955a177e083d2751
            • Instruction Fuzzy Hash: CEF0273641A7C806CF715B287C523A92B649762B10F295089D6B197303C974CEC3CA31
            Function 00D052E2 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab6eeaa1460105aae578a04100aa07f196798de1272b739ee8b174e9f1d275a0
            • Instruction ID: bdc1781a93ce3cf5d4467fea1873efcd3725dd0653e42314e4b0b04e1785d9ac
            • Opcode Fuzzy Hash: ab6eeaa1460105aae578a04100aa07f196798de1272b739ee8b174e9f1d275a0
            • Instruction Fuzzy Hash: 32F0BE70A10688ABDB04EFB9E906E6EB7B4FF04300F048059B805EB2C1EA74DA00DB24
            Function 00D05283 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f23dd1a2b59c3d9b5e4a8aa44d427d0cc9465d4de2e775cea1e20a07734bdd32
            • Instruction ID: c54dcae1dfa00f5e2f782c5f82b153366954431cfcf2bab3873ef86eb0d80d60
            • Opcode Fuzzy Hash: f23dd1a2b59c3d9b5e4a8aa44d427d0cc9465d4de2e775cea1e20a07734bdd32
            • Instruction Fuzzy Hash: 8DF0B470A10648DFDB04EBB4E906B6E77B4FF04300F004459B845EB3C1EB34D9009B54
            Function 00D0539D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: af29f024f862fc1a4ef05fc8e2c7648cd9b40796dc51ca865fa60aaf983da549
            • Instruction ID: 79659c4775544ec30e114ad0c02f606d3730e1cd940f20cd4308a380eeb40ca6
            • Opcode Fuzzy Hash: af29f024f862fc1a4ef05fc8e2c7648cd9b40796dc51ca865fa60aaf983da549
            • Instruction Fuzzy Hash: 5DF05E70E1064CEFDB04EBB9E546BAEB7B4EF48304F108059F905EB291DA74DA01DB25
            Function 00C6C5ED Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5e3a8c470b9daa5f6d7a49737b4e684ca7fe27d38c1a8517a856b5e638bab93
            • Instruction ID: 04f91217c8978b1c06c8f12914b2ea58a19ce6e9e767d3cd529e58f34006e0d0
            • Opcode Fuzzy Hash: c5e3a8c470b9daa5f6d7a49737b4e684ca7fe27d38c1a8517a856b5e638bab93
            • Instruction Fuzzy Hash: FDF027B1515A909FC732D718C1C8B71B3D4EB007A0F18A425F9FAC7952C374CD80CA58
            Function 00CAD070 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction ID: d28c14f80bbd787abfb9424b2c9ae4f5363cf9cc7406c44cd9105382d3da4fb8
            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction Fuzzy Hash: 93F0E53350461467C230AA098C05F5BFBACDBD5B70F10431ABA249B1D1DA70AA01D7D6
            Function 00D051CB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b91d85ed90cf154bcd30c15d858fbbc973de05af89599c3177aa87b41054d87a
            • Instruction ID: 6206411e814d3c6ecc8c0ea705459412292bb01245547ced35c90ec225c30293
            • Opcode Fuzzy Hash: b91d85ed90cf154bcd30c15d858fbbc973de05af89599c3177aa87b41054d87a
            • Instruction Fuzzy Hash: FAF08270A11248EBDB04EBB8E906F6E77B4FF04304F140059B905EB2D2EA74E901DB69
            Function 00C67208 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05fd18612e10b0e7127203948af991efb1e0ebeb2ac8092bb5925ab4c2cb3ff5
            • Instruction ID: 95ec79d8cbfee54b1b94d4387b521f982ad66d7934606b6e52001549344bee74
            • Opcode Fuzzy Hash: 05fd18612e10b0e7127203948af991efb1e0ebeb2ac8092bb5925ab4c2cb3ff5
            • Instruction Fuzzy Hash: 43F055B1D116869FC732C718C0C4F22B3D9EF82B78F088560E8298B502C3B8CD80C2A0
            Function 00D05227 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f18b33fd2f17eaa94272445de9365cc00c0e09adaff060f4cff40cc883197393
            • Instruction ID: 91f13c94da3111db2f3c3756c010a0d11bf963e1a781cf889428e56b9ce23cc6
            • Opcode Fuzzy Hash: f18b33fd2f17eaa94272445de9365cc00c0e09adaff060f4cff40cc883197393
            • Instruction Fuzzy Hash: ACF0E270A10248ABDB04EBB8E906F6E73B8FF04304F040058B905EB2C1EA70DA009768
            Function 00D05341 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9fea0df0d50094ec825cc76ff1a0d3aa8c9e6dc7473305b9c4063f03fe807889
            • Instruction ID: b801947f37bea71a86ab5433be9bd37e12526ef7f23f787f4f7e7f4ff16dd95e
            • Opcode Fuzzy Hash: 9fea0df0d50094ec825cc76ff1a0d3aa8c9e6dc7473305b9c4063f03fe807889
            • Instruction Fuzzy Hash: 7BF02770A0024DEBCB04DBB8E846E9E77B4EF09340F100059F405EB3D1EA74DD009724
            Function 00D054DB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e2ab211241e0a9f9f3044467a11f4ecba6c7ac913d2d5d82aaa1831b75f1eac
            • Instruction ID: fdb5532f3bc3070914a132848644d7070aee5715fbe51f67e77607fc265d887f
            • Opcode Fuzzy Hash: 1e2ab211241e0a9f9f3044467a11f4ecba6c7ac913d2d5d82aaa1831b75f1eac
            • Instruction Fuzzy Hash: 05F08270A10248ABDB04EBB9E95AF9E7BB5EF08304F144059B505EB2C1EA74DD00AB29
            Function 00D0547F Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74607c8a6d430eef3cd1b186bfb9400162459abc0b179eff42ac71cd1a3909cd
            • Instruction ID: f70ae86d30098963b6bf92e64e0731c97fff4c6e22c158e9053958e93e6adf19
            • Opcode Fuzzy Hash: 74607c8a6d430eef3cd1b186bfb9400162459abc0b179eff42ac71cd1a3909cd
            • Instruction Fuzzy Hash: B7F08270A11648ABDB04DBB9E946F9E77B4EF08304F144055F505EB3C1EA74D9019769
            Function 00C655C0 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
            • Instruction ID: 4c854f69b67de83844ce6d5ddc481cd14d371571cc0366c8c4270d3861bb2bc2
            • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
            • Instruction Fuzzy Hash: ACE0E533104A14ABC2311A16DC05F12BBA9FF907B0F208215B56A17590C760AD11DAD4
            Function 00C325E0 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b1e7416acdde56980edd498aa87008ce27076d3c2450cec186ea3eb54a867621
            • Instruction ID: 48d924cced6b7ed6372428a38a7321de635fe0cde7f179e44613dcfba2f2e8fb
            • Opcode Fuzzy Hash: b1e7416acdde56980edd498aa87008ce27076d3c2450cec186ea3eb54a867621
            • Instruction Fuzzy Hash: 4EE092321106949BC721BB29DD02F8B77AAEF90361F014515B115571A1CA30A910D794
            Function 00C2823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: 0b783fcb479d9dbd485081ee58fb7ba81fa35beff726efe86baaa5a9e81abc67
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: 3DE0C231002A30EFDB317F12EC01F5277A1FF94B50F208929F086168A58BB0AC85FB48
            Function 00CEB3D0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction ID: dcfb350c1bfca6a429cd1a647a32fb015695c187ed8e65bb1baab497939e69da
            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction Fuzzy Hash: 4AE0C231284254BBDB226A41CD41F7ABB15EB907E0F204031FB086AAA1CA71AD91E6D4
            Function 00C32050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 716d5075f536e54636801ddeb6cad8dbf207ef7d3614ae398f60359278c9ca65
            • Instruction ID: da8f67fc34021746b1d8078f9af6ea493ff2080643e025855be62cb216eb2c59
            • Opcode Fuzzy Hash: 716d5075f536e54636801ddeb6cad8dbf207ef7d3614ae398f60359278c9ca65
            • Instruction Fuzzy Hash: 0CE0C2321106906BC721FB5DDD42F8A73AEEFA43A0F000221F150976A1CA20FD01D794
            Function 00CB92BC Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f91783a91644888e558aff9bfbf6f39adb47b3822cb06fa80f88de13e06dca76
            • Instruction ID: 08d5d9dd17caae09a92db1fd54ffd4cce7d859109533266049d6eaf21db88f7b
            • Opcode Fuzzy Hash: f91783a91644888e558aff9bfbf6f39adb47b3822cb06fa80f88de13e06dca76
            • Instruction Fuzzy Hash: 9AF0C234651B84CBE62ACF08D1A2B9173B9FB55B44F500458D4468BBB1C73AAE42CA40
            Function 00C2B562 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
            • Instruction ID: 5e739417554ad26faa856b6eb287468201f6f9c3fe01998e0dadb56efff216cf
            • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
            • Instruction Fuzzy Hash: 09D05E311616A0AFC7327F15FE46F827BB5AF80B50F050529B0422A8F1C6B1EE84E790
            Function 00C6E59C Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction ID: 55f3895b98b88fc3514101e438a70c3a09d48279e78685e004c774f1b2d7d4a4
            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction Fuzzy Hash: 16D0A932204660ABD732AA1CFC00FC333E8BB88760F060559B019C7050C360AC81CA84
            Function 00C2A0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: 14a173ec2a1d32a8e6a710d4de55ea65fb88b4fca527d409279385aa570f1a9d
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: B2D0123221607097CB2966567954F676915ABC5BA4F1A016D780AE3D00C9158D42E6E1
            Function 00C402A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: 4b2e82ec9bc1f464e5b6ffb5e4db40ac1dbadc4f107a3c337d550a0a1df5a3b8
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: 91D0C935252E81CFC62ACF0DC5A8F1633B4BB44B44F910490E501CBB61D6BCDE40CE00
            Function 00CB930B Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction ID: 1e5376863769c82cc0954282b1eb14a52c75f0bbe16ae373d268345eff603f5e
            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction Fuzzy Hash: 8FD01735945AC48FE727CB08C165B907BF4F705B40F850098E04247AA2C27C9E84CB00
            Function 00C50310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: 81756bcf2ee8627fb95422a7b422da398438f33a3efd7202516fad13def5a46c
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: EED01236100248EFCB01DF41C890D9A772AFBC8710F148019FD1907611CA31ED62DA50
            Function 00C5340D Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
            • Instruction ID: 2e71b69f9b1b34ef18332c3574eba9999a7dc0325a22f0a721b9ba8a6079ef63
            • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
            • Instruction Fuzzy Hash: 00C08C781415C06AEB2B6700C901B283A50BB00787F84029CBE40394A2C378DF46821C
            Function 00C73090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86a2e5715bbdaa3574cd12c0dd4186890bb55b61d25d108eb0e3fa6695592667
            • Instruction ID: 6a7c666295f001d6aacabd7a915dd22508866ff79993bbb885066c138b72fee7
            • Opcode Fuzzy Hash: 86a2e5715bbdaa3574cd12c0dd4186890bb55b61d25d108eb0e3fa6695592667
            • Instruction Fuzzy Hash: 8890026124140802D644715884547470007C7D0B05F96C022A0024598D8A168A6977B5
            Function 00C73010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 361f808280d044c1e874b3dd882f2baf375199f10221f2cfa2093de8172e1b18
            • Instruction ID: ba3064075f575f2b7a41a8a98cc273a1d32d3fc7f04de238d534011334f8458a
            • Opcode Fuzzy Hash: 361f808280d044c1e874b3dd882f2baf375199f10221f2cfa2093de8172e1b18
            • Instruction Fuzzy Hash: A690026120184442D64472584844B4F410687E1706FD6C02AA4156598CCD1589596725
            Function 00C74340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 84407ea1287d48ffc7988406525989442a5764228b663939975686d102824631
            • Instruction ID: b65c2e8f5e57a8f14635887caf33d3bd01a32a8dc5dbe570e915606d36a70282
            • Opcode Fuzzy Hash: 84407ea1287d48ffc7988406525989442a5764228b663939975686d102824631
            • Instruction Fuzzy Hash: 17900271605800129644715848C4586400697E0705B96C022E0424598C8E148A5A6365
            Function 00C74650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b6ffe8636700f21e6b52bffad4554cf3b19a48d5615cf90723e58801140fe882
            • Instruction ID: 5114c9aba50ee64a4e0dec16f448a7a5e33964899cfe00376ccdc6dfdc7572e8
            • Opcode Fuzzy Hash: b6ffe8636700f21e6b52bffad4554cf3b19a48d5615cf90723e58801140fe882
            • Instruction Fuzzy Hash: 909002A160150042464471584844446600697E17053D6C126A05545A4C8A188959A36D
            Function 00C739B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 602c2bc38fcc65fa68024c27ce63287317443f80da60134fb8d16eb302fde44f
            • Instruction ID: a68cfc4976a3fe8f3ac8b8eeccab060d2625195f2c48762288c1da52fa61b46b
            • Opcode Fuzzy Hash: 602c2bc38fcc65fa68024c27ce63287317443f80da60134fb8d16eb302fde44f
            • Instruction Fuzzy Hash: 3B90026124545102D654715C44446564006A7E0705F96C032A08145D8D895589597325
            Function 00C72AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24d7d58b0eb900f542def3458e5c1200ba7c41c33786626598d8ede2a3b99f84
            • Instruction ID: a1946ee7f9b660d10324e2db7f503f4c9a02826bd19453560ce0ac8990b35b9d
            • Opcode Fuzzy Hash: 24d7d58b0eb900f542def3458e5c1200ba7c41c33786626598d8ede2a3b99f84
            • Instruction Fuzzy Hash: 72900265211400030609B5580744547004787D5755396C032F1015594CDA2189656225
            Function 00C72AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b436eb8f3978ab9f1cc232544dba5801f8cd1feffae02bbb5f256c2bca5d715
            • Instruction ID: 77f5c600756a1fb2b3149c8606c619689a425a1308798e102bbb358e7604c371
            • Opcode Fuzzy Hash: 4b436eb8f3978ab9f1cc232544dba5801f8cd1feffae02bbb5f256c2bca5d715
            • Instruction Fuzzy Hash: 6A900265221400020649B558064454B044697D67553D6C026F14165D4CCA2189696325
            Function 00C72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5fb559235acec7838734ea8271ca3fc78b9c1b226d18a28e37c325d19207eaf
            • Instruction ID: 15240cd975292ca934fcd1081be8e452a401799b38439e501d3994be97a3c447
            • Opcode Fuzzy Hash: a5fb559235acec7838734ea8271ca3fc78b9c1b226d18a28e37c325d19207eaf
            • Instruction Fuzzy Hash: 649002E1201540924A04B2588444B4A450687E0705B96C027E10545A4CC9258955A239
            Function 00C72BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c463f4f371323e42ed9303aac6ab0d48667dfee0b78bf6859bca42013f45d0a5
            • Instruction ID: ed7f9b61b8aa6c98f6c787fdcd5915e091e5838b7e3b51a0b5aa16d0b34773bf
            • Opcode Fuzzy Hash: c463f4f371323e42ed9303aac6ab0d48667dfee0b78bf6859bca42013f45d0a5
            • Instruction Fuzzy Hash: 2090027120544842D64471584444A86001687D0709F96C022A00646D8D9A258E59B765
            Function 00C72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f945d2c626b9670255eb4da32b9a4b0db2e47e4799a3934360be02418197c6f
            • Instruction ID: c1f9fce43cac7bf4dbd5aa00436e6b9c9ec4c5d36a73530c7ddca20f442ae1e2
            • Opcode Fuzzy Hash: 8f945d2c626b9670255eb4da32b9a4b0db2e47e4799a3934360be02418197c6f
            • Instruction Fuzzy Hash: 6F90027120140802D6847158444468A000687D1705FD6C026A0025698DCE158B5D77A5
            Function 00C72B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e91dba06ed746115f40c41e2fb716b29aa684848c8f1f1ebeb0bceb10eb6750e
            • Instruction ID: 897dec077cf807fdcd1d0f0f0e53553fe92a1a8a0aec4da31c48a3b9780bc3f6
            • Opcode Fuzzy Hash: e91dba06ed746115f40c41e2fb716b29aa684848c8f1f1ebeb0bceb10eb6750e
            • Instruction Fuzzy Hash: 2590027120140802D608715848446C6000687D0705F96C022A6024699E9A6589957235
            Function 00C72BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bcfab1b40e4343991f49f7b6d6eb666ad5413bf82f5635925188e29358280ecc
            • Instruction ID: b086187a60497f1f8a1be23d4e008938d95111fef597867626028a7da14ce9d0
            • Opcode Fuzzy Hash: bcfab1b40e4343991f49f7b6d6eb666ad5413bf82f5635925188e29358280ecc
            • Instruction Fuzzy Hash: 9C90027160540802D65471584454786000687D0705F96C022A0024698D8B558B5977A5
            Function 00C72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c45150d751020db3e40a9a6a51737f8a8019df8840c72a368379204ee5812d2
            • Instruction ID: 583adb93e40bc0bb59f7c0846e84c077baaec20945e9d561a041363133cb1883
            • Opcode Fuzzy Hash: 4c45150d751020db3e40a9a6a51737f8a8019df8840c72a368379204ee5812d2
            • Instruction Fuzzy Hash: 6690026160540402D64471585458746001687D0705F96D022A0024598DCA598B5977A5
            Function 00C72CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9556de265e5c1774e84962fc1cf0d0280673aaba47f0f3ff91a9b71fc96b58b3
            • Instruction ID: b069cb6006176ece1517cfe8e3c1a0f90c195824d5d2348acbe97704b33b6967
            • Opcode Fuzzy Hash: 9556de265e5c1774e84962fc1cf0d0280673aaba47f0f3ff91a9b71fc96b58b3
            • Instruction Fuzzy Hash: 2A90027120140403D60471585548747000687D0705F96D422A042459CDDA5689557225
            Function 00C72CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ad12d9361d1a71dda6bfe71ec631bf1c0daacf04208adbde10b70716caa7a986
            • Instruction ID: 42166136761b0647c99f65ed7391d77a48bd8dc63830edb50bd1861ab6d7f277
            • Opcode Fuzzy Hash: ad12d9361d1a71dda6bfe71ec631bf1c0daacf04208adbde10b70716caa7a986
            • Instruction Fuzzy Hash: D990027120140402D60475985448686000687E0705F96D022A5024599ECA6589957235
            Function 00C72C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4547dd772852ed89998a841fe351281345a269e2bc1bf3cdd8fa1b8df7e5234
            • Instruction ID: 2de48c12aeeeaa745d1b5c25c2400d62be6297adc0bfac9480c15d98f1d44f99
            • Opcode Fuzzy Hash: d4547dd772852ed89998a841fe351281345a269e2bc1bf3cdd8fa1b8df7e5234
            • Instruction Fuzzy Hash: F790027120140842D60471584444B86000687E0705F96C027A0124698D8A15C9557625
            Function 00C72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 254e6668d848cae9ebf7bc9534ebe6e6230c39720bd2a0292736b34060f532ee
            • Instruction ID: 007c5704801779416e88af1e2a85e40d9d7e9e940720660a954bf645ef649cdb
            • Opcode Fuzzy Hash: 254e6668d848cae9ebf7bc9534ebe6e6230c39720bd2a0292736b34060f532ee
            • Instruction Fuzzy Hash: D490027120148802D6147158844478A000687D0705F9AC422A442469CD8A9589957225
            Function 00C72DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 443f5f24e2b258eb34ad2575a8fb259805216e974db8dbce71da51ab32ad1850
            • Instruction ID: 98e0977ada80bd3f7b00511ebc9a8301b694e5fa35b6728739657c43868ecb4d
            • Opcode Fuzzy Hash: 443f5f24e2b258eb34ad2575a8fb259805216e974db8dbce71da51ab32ad1850
            • Instruction Fuzzy Hash: 12900261242441525A49B1584444547400797E07457D6C023A1414994C8926995AE725
            Function 00C72DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 76c43131766bda9de07ac84622092c300d2b5b1236115ce248145726730b7859
            • Instruction ID: 90f3d185e61949c9c5756b1b1d7d1df82f376ccd5b8b6e1fd7c719c66f970a93
            • Opcode Fuzzy Hash: 76c43131766bda9de07ac84622092c300d2b5b1236115ce248145726730b7859
            • Instruction Fuzzy Hash: E990027124140402D64571584444646000A97D0745FD6C023A0424598E8A558B5ABB65
            Function 00C73D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1dbffa6cc69c0585e612ee66bd892837c0b6a3871f3d378641ef93179783c995
            • Instruction ID: 7779a97e501c3a208047c6d189d17bc3aeba9123577c14792c152d45a43b344d
            • Opcode Fuzzy Hash: 1dbffa6cc69c0585e612ee66bd892837c0b6a3871f3d378641ef93179783c995
            • Instruction Fuzzy Hash: 1890027520140402DA1471585844686004787D0705F96D422A042459CD8A5489A5B225
            Function 00C72D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfe1b8b13a557bad4c19d04165c3f2bda0c39af6a7c9bca6c07530ee164b9f0f
            • Instruction ID: 496757cf013892f1b6283b15361f7ae65cae289cc1512f245ed961beb6b96788
            • Opcode Fuzzy Hash: dfe1b8b13a557bad4c19d04165c3f2bda0c39af6a7c9bca6c07530ee164b9f0f
            • Instruction Fuzzy Hash: 2E90026120544442D60475585448A46000687D0709F96D022A10645D9DCA358955B235
            Function 00C72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc16bc69a96b80b94ddf1348923dad1b263f3797971e56ed563a8a04a5d86b6c
            • Instruction ID: 58e8cfc1659f71938e3c4bcf95a786aa8ed49f1c2b258df7d5aa5b8a43ce331d
            • Opcode Fuzzy Hash: cc16bc69a96b80b94ddf1348923dad1b263f3797971e56ed563a8a04a5d86b6c
            • Instruction Fuzzy Hash: 8F90026921340002D6847158544864A000687D1706FD6D426A001559CCCD15896D6325
            Function 00C73D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfef263c15f5497d5196b95e991beb6be7876ce01a9d917c0504f0ce8a64d229
            • Instruction ID: 17b3dc0e523dc47a0d82e3b8a9b327ecf25fce5272c81c3ca7f61e08aa9ed02f
            • Opcode Fuzzy Hash: cfef263c15f5497d5196b95e991beb6be7876ce01a9d917c0504f0ce8a64d229
            • Instruction Fuzzy Hash: D2900271202401429A4472585844A8E410687E1706BD6D426A0015598CCD1489656325
            Function 00C72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ec8c121791a1aaaa917edea6692862a1baf740b7c5953adf5208aef1dd582dc5
            • Instruction ID: 6c1ef2cd42545641dfe9d222f0a8fb4fd5b7facd15719dca79207543c38d21b0
            • Opcode Fuzzy Hash: ec8c121791a1aaaa917edea6692862a1baf740b7c5953adf5208aef1dd582dc5
            • Instruction Fuzzy Hash: D490026130140003D644715854586464006D7E1705F96D022E0414598CDD15895A6326
            Function 00C72EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a806225e400e49e8a57c7b2eb9ae0b1cdbc99ae6605433ce5fd6743507e498e1
            • Instruction ID: 184fa1dc9b084e5cd1c372523eadb13cf77119a09dae8f0c041f7a58a20f0aa7
            • Opcode Fuzzy Hash: a806225e400e49e8a57c7b2eb9ae0b1cdbc99ae6605433ce5fd6743507e498e1
            • Instruction Fuzzy Hash: FD9002A120180403D64475584844647000687D0706F96C022A2064599E8E298D557239
            Function 00C72E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 923efd93468d75f6aebbfabc3649f8c137b8a6489871057498ac48fb5ffd6be2
            • Instruction ID: 13504529af535a66efdcaf2079a4ee3afac69a26e1efdc381e139eaa5e74d35c
            • Opcode Fuzzy Hash: 923efd93468d75f6aebbfabc3649f8c137b8a6489871057498ac48fb5ffd6be2
            • Instruction Fuzzy Hash: D690026160140502D60571584444656000B87D0745FD6C033A1024599ECE258A96B235
            Function 00C72EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f31d86a3f0268f5b42edbf890e04ddb6775786d91833df9e9b521eb32782bb30
            • Instruction ID: acfd3dcf50bc2bd746180fa865db1cafc3bf7f3a05d9c32ec44a09f67976ba09
            • Opcode Fuzzy Hash: f31d86a3f0268f5b42edbf890e04ddb6775786d91833df9e9b521eb32782bb30
            • Instruction Fuzzy Hash: A39002B120140402D64471584444786000687D0705F96C022A5064598E8A598ED97769
            Function 00C72E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 540c87f9f6c65e34963b3210c7dac67b30413b4d5b3afd8b68d7d347b229d23b
            • Instruction ID: 67c7f377ff98f83e3d761f159920e8823076646c143ca39829d9d3a1294f1996
            • Opcode Fuzzy Hash: 540c87f9f6c65e34963b3210c7dac67b30413b4d5b3afd8b68d7d347b229d23b
            • Instruction Fuzzy Hash: E790026130140402D60671584454646000AC7D1749FD6C023E1424599D8A258A57B236
            Function 00C72FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c90925c9e691cc5cb20c4712774c37121a1c669f5a37c2636676a1b553236b0
            • Instruction ID: adadac4ad212ac37677befbb645d9d23ec39f17ff4a39710fee25fb5da3f3121
            • Opcode Fuzzy Hash: 9c90925c9e691cc5cb20c4712774c37121a1c669f5a37c2636676a1b553236b0
            • Instruction Fuzzy Hash: F7900261211C0042D70475684C54B47000687D0707F96C126A0154598CCD1589656625
            Function 00C72F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e36af1ceb41bdcff17e52efaa72da25530262c0d7f9f3d01b7b746e91a4b3815
            • Instruction ID: f21066695eef2fd394a7f5cce263e3ac5319c60939e0bbab4c7a26ebbc9ebad0
            • Opcode Fuzzy Hash: e36af1ceb41bdcff17e52efaa72da25530262c0d7f9f3d01b7b746e91a4b3815
            • Instruction Fuzzy Hash: 9990027120180402D6047158485474B000687D0706F96C022A1164599D8A2589557675
            Function 00C72FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 75935a1fed8e31323f72816c59e51767fb1bd4b30c335ef042067baf47448eee
            • Instruction ID: f8f2296900c3b4f1ba7088ec08f2220f61a212c39293ffabe1ae485f6958a8d7
            • Opcode Fuzzy Hash: 75935a1fed8e31323f72816c59e51767fb1bd4b30c335ef042067baf47448eee
            • Instruction Fuzzy Hash: 8D90027120180402D60471584848787000687D0706F96C022A5164599E8A65C9957635
            Function 00C72FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: df3936ba0f27be3ab9f1510ea24cf1f068d952e8049999abb8f2c1ad7e18bc8a
            • Instruction ID: c3cd273f3576ddbd2215445e3b22f02b8fed429e88ae645e8e2b3ec21e1b0504
            • Opcode Fuzzy Hash: df3936ba0f27be3ab9f1510ea24cf1f068d952e8049999abb8f2c1ad7e18bc8a
            • Instruction Fuzzy Hash: CF900261601400424644716888849464006ABE1715796C132A0998594D895989696769
            Function 00C72F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 81c00f0dd47e252eaa1ec8b3f42ad7101aa25c58272a0a97d7d4eb7633efe509
            • Instruction ID: 0d7d8b2d0351e565183ca8fec1abd65c4af97b2041f8164443a24a110f0f8d80
            • Opcode Fuzzy Hash: 81c00f0dd47e252eaa1ec8b3f42ad7101aa25c58272a0a97d7d4eb7633efe509
            • Instruction Fuzzy Hash: 099002A121140042D60871584444746004687E1705F96C023A2154598CC9298D656229
            Function 00C72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2691c981134b2066698c0846469f77d84148993cca7c75ba0bc990e83eefbdb4
            • Instruction ID: 630175fa013bd7b434f2735cd5af64321b8e10f26a2bcb65a5ed180f42e0ae94
            • Opcode Fuzzy Hash: 2691c981134b2066698c0846469f77d84148993cca7c75ba0bc990e83eefbdb4
            • Instruction Fuzzy Hash: CB9002A134140442D60471584454B460006C7E1705F96C026E1064598D8A19CD56722A
            Function 00C72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: 01dab61987fecbfeda5464aaadde849db90a673c4c19540990d09e5ed5a20947
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 00C72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 466fd8eacf515801f21078cd1f411420c6c9a887d4555411703110676150e14a
            • Instruction ID: ff3efab6f44923a4b4583dd69fe0b2f1e244894abddb11329c4ea7e4a8ccb7ff
            • Opcode Fuzzy Hash: 466fd8eacf515801f21078cd1f411420c6c9a887d4555411703110676150e14a
            • Instruction Fuzzy Hash: 6D51E6B6A00556BFCB10DB99C89097EF7B8BB09304B24C169E5A9D7681D334DF40DBA1
            Function 00C67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00CA4725
            • ExecuteOptions, xrefs: 00CA46A0
            • Execute=1, xrefs: 00CA4713
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00CA46FC
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 00CA4787
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00CA4655
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00CA4742
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: 01b0d28b1785a8335b7a24cc921c1706caceb53405232864901a9393c185ecf9
            • Instruction ID: b01f1d00f6d567fe5958d76bbe026deb5f0bf2e29addafc11b2ba411c922dcc8
            • Opcode Fuzzy Hash: 01b0d28b1785a8335b7a24cc921c1706caceb53405232864901a9393c185ecf9
            • Instruction Fuzzy Hash: 96513631604209AADF35ABA4DCCAFEA73B8EF05308F1405A9F505A7291E770DE42DB60
            Function 00C7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
            • Instruction ID: 189ca2bfa44f755219ad674b0480c0bbe39f6c7a08270d7e89063a728c84d065
            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
            • Instruction Fuzzy Hash: 5081C170E052499EDF2C8E68C8917FEBBB5AF85350F18C219E879A72D1C7349E41CB61
            Function 00C6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Resource at %p, xrefs: 00CA7B8E
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00CA7B7F
            • RTL: Re-Waiting, xrefs: 00CA7BAC
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: f3c3b7feeda76aaf6689097adf2e45b250b930ce5b5c72262028bd183526e1b0
            • Instruction ID: 9f4d0c984c3e0b2727fd641d786fb43aefb21100a74fa644baad4c0811b515d7
            • Opcode Fuzzy Hash: f3c3b7feeda76aaf6689097adf2e45b250b930ce5b5c72262028bd183526e1b0
            • Instruction Fuzzy Hash: DE4112353047028FC724DE29DC81B6AB3E5EF89710F100A2DF96ADB690DB31ED459B92
            Function 00C6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA728C
            Strings
            • RTL: Resource at %p, xrefs: 00CA72A3
            • RTL: Re-Waiting, xrefs: 00CA72C1
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00CA7294
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: 8b284ed259470478866c1902f2366ecd192f0ba9ef259cdd3c7e0c7cbc623410
            • Instruction ID: 6d57bd911c290736470ea7e9c2a4296787a7852c1dd473ef4e15b55db47eeb80
            • Opcode Fuzzy Hash: 8b284ed259470478866c1902f2366ecd192f0ba9ef259cdd3c7e0c7cbc623410
            • Instruction Fuzzy Hash: 3841F031704612ABC720DE25CC82F6AB7A5FB85718F204729F865EB281DB30ED86D7D1
            Function 00C77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
            • Instruction ID: c181878852370fca649b5bf5783c23f8dbf39723618e39bafa52f844c19266c9
            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
            • Instruction Fuzzy Hash: 37919370E0421E9FDF24DEA9C9816BEB7A5AF44320F24C71AE869E72C0DB309E418750
            Function 00C39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.3033055724.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_c00000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: 33a193319e3922104fe2d25ed89a467a0fe1c67862abaae87c94b2b6be18c277
            • Instruction ID: 22141a104d295d882687f66ddb5d1dcc7bf8e61b5d1e63cf26a2980ef9041a23
            • Opcode Fuzzy Hash: 33a193319e3922104fe2d25ed89a467a0fe1c67862abaae87c94b2b6be18c277
            • Instruction Fuzzy Hash: B5811C72D00269ABDB31DF54CC49BEEB7B4AF08710F0041DAA919B7690D7709E85DFA4