Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipment Notification.exe

Overview

General Information

Sample name:Shipment Notification.exe
Analysis ID:1573129
MD5:65df98b65b9c4cca6ede8e466d67d874
SHA1:52b38684900c19b857cecb5348f65a1305f911fa
SHA256:0629d06c5aa9b9c33a5b7f9fb029023c3c6140bd475e6b68645beca7d85203bd
Tags:exeuser-James_inthe_box
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Shipment Notification.exe (PID: 2448 cmdline: "C:\Users\user\Desktop\Shipment Notification.exe" MD5: 65DF98B65B9C4CCA6EDE8E466D67D874)
    • svchost.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\Shipment Notification.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • armsvc.exe (PID: 6400 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 8F45A42A43A3B47A199D0B5346E419EB)
  • alg.exe (PID: 1776 cmdline: C:\Windows\System32\alg.exe MD5: 0CD114E258D21CEB68054A8716E202D4)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 3852 cmdline: C:\Windows\system32\AppVClient.exe MD5: 0E2341A5D856BFAE2CC1F50CF22BE6C2)
  • FXSSVC.exe (PID: 3168 cmdline: C:\Windows\system32\fxssvc.exe MD5: 2F3B30AD24454A67D8021F602425F4FA)
  • elevation_service.exe (PID: 5640 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: ABA75CE67151B4E7CE468B1889A81F1C)
  • maintenanceservice.exe (PID: 5748 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: E010C33CCF44CC658E6BE30DD8099ED5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.2456776187.00000000036D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        12.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipment Notification.exe", CommandLine: "C:\Users\user\Desktop\Shipment Notification.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Notification.exe", ParentImage: C:\Users\user\Desktop\Shipment Notification.exe, ParentProcessId: 2448, ParentProcessName: Shipment Notification.exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipment Notification.exe", ProcessId: 5740, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Shipment Notification.exe", CommandLine: "C:\Users\user\Desktop\Shipment Notification.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Notification.exe", ParentImage: C:\Users\user\Desktop\Shipment Notification.exe, ParentProcessId: 2448, ParentProcessName: Shipment Notification.exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipment Notification.exe", ProcessId: 5740, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-11T15:09:27.357731+010020516491A Network Trojan was detected192.168.2.5609621.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-11T15:09:17.688691+010020516481A Network Trojan was detected192.168.2.5568051.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-11T15:09:08.849138+010020181411A Network Trojan was detected54.244.188.17780192.168.2.549704TCP
          2024-12-11T15:09:13.113888+010020181411A Network Trojan was detected18.141.10.10780192.168.2.549707TCP
          2024-12-11T15:09:17.743075+010020181411A Network Trojan was detected44.221.84.10580192.168.2.549709TCP
          2024-12-11T15:11:05.062119+010020181411A Network Trojan was detected47.129.31.21280192.168.2.549952TCP
          2024-12-11T15:11:07.969540+010020181411A Network Trojan was detected13.251.16.15080192.168.2.549961TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-11T15:09:08.849138+010020377711A Network Trojan was detected54.244.188.17780192.168.2.549704TCP
          2024-12-11T15:09:13.113888+010020377711A Network Trojan was detected18.141.10.10780192.168.2.549707TCP
          2024-12-11T15:09:17.743075+010020377711A Network Trojan was detected44.221.84.10580192.168.2.549709TCP
          2024-12-11T15:11:05.062119+010020377711A Network Trojan was detected47.129.31.21280192.168.2.549952TCP
          2024-12-11T15:11:07.969540+010020377711A Network Trojan was detected13.251.16.15080192.168.2.549961TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-11T15:09:12.994539+010028508511Malware Command and Control Activity Detected192.168.2.54970718.141.10.10780TCP
          2024-12-11T15:10:40.157278+010028508511Malware Command and Control Activity Detected192.168.2.54985682.112.184.19780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Shipment Notification.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://54.244.188.177/LAvira URL Cloud: Label: phishing
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\FXSSVC.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeAvira: detection malicious, Label: W32/Infector.Gen
          Multi AV Scanner detection for submitted file
          Source: Shipment Notification.exeReversingLabs: Detection: 84%
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2456776187.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\FXSSVC.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: Shipment Notification.exeJoe Sandbox ML: detected
          Source: Shipment Notification.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Shipment Notification.exe, 00000000.00000003.2087192387.0000000004010000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: Shipment Notification.exe, 00000000.00000003.2111119822.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: Shipment Notification.exe, 00000000.00000003.2091416659.0000000004010000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: Shipment Notification.exe, 00000000.00000003.2130135533.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: Shipment Notification.exe, 00000000.00000003.2111119822.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: PresentationFontCache.pdb source: Shipment Notification.exe, 00000000.00000003.2130135533.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb` source: Shipment Notification.exe, 00000000.00000003.2156206567.0000000004100000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: Shipment Notification.exe, 00000000.00000003.2157216427.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156697482.0000000005160000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156444729.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2456850135.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2414060188.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2411229837.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Shipment Notification.exe, 00000000.00000003.2157216427.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156697482.0000000005160000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156444729.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2456850135.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2414060188.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2411229837.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: Shipment Notification.exe, 00000000.00000003.2091416659.0000000004010000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: maintenanceservice.pdb source: Shipment Notification.exe, 00000000.00000003.2156206567.0000000004100000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49707 -> 18.141.10.107:80
          Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:56805 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:60962 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49856 -> 82.112.184.197:80
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Joe Sandbox ViewIP Address: 18.141.10.107 18.141.10.107
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49707
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.5:49709
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49707
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.5:49709
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.5:49952
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.5:49961
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.5:49952
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.5:49961
          Source: global trafficHTTP traffic detected: POST /wqjbkdjiy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: global trafficHTTP traffic detected: POST /nu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /odsonv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: global trafficHTTP traffic detected: POST /ifrlysutnhlr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /pm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /hsyjdjsftfdjf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
          Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
          Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
          Source: unknownHTTP traffic detected: POST /wqjbkdjiy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: Shipment Notification.exe, 00000000.00000003.2149855570.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
          Source: Shipment Notification.exe, 00000000.00000003.2143398750.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2144728878.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2143080369.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2145184802.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2142746119.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/odsonv
          Source: Shipment Notification.exe, 00000000.00000003.2149855570.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/odsonv
          Source: Shipment Notification.exe, 00000000.00000003.2112960416.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/0
          Source: Shipment Notification.exe, 00000000.00000003.2113341449.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112354159.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2113577723.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112582816.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112960416.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/5a
          Source: Shipment Notification.exe, 00000000.00000003.2113341449.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112354159.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2113577723.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112582816.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112960416.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/L
          Source: Shipment Notification.exe, 00000000.00000003.2118599789.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2127230929.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2126770354.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2125994169.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2127641557.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2121538826.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2123927792.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2118279910.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2116094406.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2125659450.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2115519146.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2120542765.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2120325191.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2131962281.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2123625602.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2116322387.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2122485322.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2116981590.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2117142679.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2115175743.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2115913651.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/wqjbkdjiyp
          Source: elevation_service.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
          Source: elevation_service.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2456776187.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: Shipment Notification.exe, 00000000.00000000.2084669383.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1439b013-5
          Source: Shipment Notification.exe, 00000000.00000000.2084669383.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_623069a3-f
          Source: Shipment Notification.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_432782aa-0
          Source: Shipment Notification.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f2e552c3-a
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0042CBC3 NtClose,12_2_0042CBC3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972B60 NtClose,LdrInitializeThunk,12_2_03972B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_03972DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039735C0 NtCreateMutant,LdrInitializeThunk,12_2_039735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03974340 NtSetContextThread,12_2_03974340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03974650 NtSuspendThread,12_2_03974650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972B80 NtQueryInformationFile,12_2_03972B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972BA0 NtEnumerateValueKey,12_2_03972BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972BF0 NtAllocateVirtualMemory,12_2_03972BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972BE0 NtQueryValueKey,12_2_03972BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972AB0 NtWaitForSingleObject,12_2_03972AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972AD0 NtReadFile,12_2_03972AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972AF0 NtWriteFile,12_2_03972AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972F90 NtProtectVirtualMemory,12_2_03972F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972FB0 NtResumeThread,12_2_03972FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972FA0 NtQuerySection,12_2_03972FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972FE0 NtCreateFile,12_2_03972FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972F30 NtCreateSection,12_2_03972F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972F60 NtCreateProcessEx,12_2_03972F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972E80 NtReadVirtualMemory,12_2_03972E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972EA0 NtAdjustPrivilegesToken,12_2_03972EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972EE0 NtQueueApcThread,12_2_03972EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972E30 NtWriteVirtualMemory,12_2_03972E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972DB0 NtEnumerateKey,12_2_03972DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972DD0 NtDelayExecution,12_2_03972DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972D10 NtMapViewOfSection,12_2_03972D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972D00 NtSetInformationFile,12_2_03972D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972D30 NtUnmapViewOfSection,12_2_03972D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972CA0 NtQueryInformationToken,12_2_03972CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972CC0 NtQueryVirtualMemory,12_2_03972CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972CF0 NtOpenProcess,12_2_03972CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972C00 NtQueryInformationProcess,12_2_03972C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972C70 NtFreeVirtualMemory,12_2_03972C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972C60 NtCreateKey,12_2_03972C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03973090 NtSetValueKey,12_2_03973090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03973010 NtOpenDirectoryObject,12_2_03973010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039739B0 NtGetContextThread,12_2_039739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03973D10 NtOpenProcessToken,12_2_03973D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03973D70 NtOpenThread,12_2_03973D70
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\b75dbea5ca02394b.binJump to behavior
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C37C007_2_00C37C00
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C5A8107_2_00C5A810
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C379F07_2_00C379F0
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C62D407_2_00C62D40
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C592A07_2_00C592A0
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C5EEB07_2_00C5EEB0
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C593B07_2_00C593B0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009BA81011_2_009BA810
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_00997C0011_2_00997C00
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009979F011_2_009979F0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009C2D4011_2_009C2D40
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009BEEB011_2_009BEEB0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009B92A011_2_009B92A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009B93B011_2_009B93B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040E85512_2_0040E855
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004010C812_2_004010C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004010D012_2_004010D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0042F1D312_2_0042F1D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004029F812_2_004029F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00402A0012_2_00402A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004032D012_2_004032D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041040A12_2_0041040A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041041312_2_00410413
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040150012_2_00401500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00416DA312_2_00416DA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040E64312_2_0040E643
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041063312_2_00410633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004026F012_2_004026F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040E78812_2_0040E788
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040E79312_2_0040E793
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A003E612_2_03A003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E3F012_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FA35212_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C02C012_2_039C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E027412_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A001AA12_2_03A001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F81CC12_2_039F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DA11812_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393010012_2_03930100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C815812_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D200012_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393C7C012_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396475012_2_03964750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394077012_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395C6E012_2_0395C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A0059112_2_03A00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394053512_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EE4F612_2_039EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E442012_2_039E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F244612_2_039F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F6BD712_2_039F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FAB4012_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA8012_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A0A9A612_2_03A0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A012_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395696212_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039268B812_2_039268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E8F012_2_0396E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A84012_2_0394A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394284012_2_03942840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BEFA012_2_039BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932FC812_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394CFE012_2_0394CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03960F3012_2_03960F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E2F3012_2_039E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03982F2812_2_03982F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B4F4012_2_039B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952E9012_2_03952E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FCE9312_2_039FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FEEDB12_2_039FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FEE2612_2_039FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940E5912_2_03940E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03958DBF12_2_03958DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393ADE012_2_0393ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DCD1F12_2_039DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394AD0012_2_0394AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0CB512_2_039E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930CF212_2_03930CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940C0012_2_03940C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0398739A12_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F132D12_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392D34C12_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039452A012_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395B2C012_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E12ED12_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B1B012_2_0394B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A0B16B12_2_03A0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392F17212_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397516C12_2_0397516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EF0CC12_2_039EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039470C012_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F70E912_2_039F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FF0E012_2_039FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FF7B012_2_039FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F16CC12_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DD5B012_2_039DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F757112_2_039F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FF43F12_2_039FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393146012_2_03931460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395FB8012_2_0395FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B5BF012_2_039B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397DBF912_2_0397DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FFB7612_2_039FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DDAAC12_2_039DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03985AA012_2_03985AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E1AA312_2_039E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EDAC612_2_039EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FFA4912_2_039FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F7A4612_2_039F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B3A6C12_2_039B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D591012_2_039D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394995012_2_03949950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395B95012_2_0395B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039438E012_2_039438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AD80012_2_039AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03941F9212_2_03941F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FFFB112_2_039FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FFF0912_2_039FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03949EB012_2_03949EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395FDC012_2_0395FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F1D5A12_2_039F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03943D4012_2_03943D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F7D7312_2_039F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FFCF212_2_039FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B9C3212_2_039B9C32
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A079F013_2_01A079F0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A32D4013_2_01A32D40
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A07C0013_2_01A07C00
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A2A81013_2_01A2A810
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A293B013_2_01A293B0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A292A013_2_01A292A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A2EEB013_2_01A2EEB0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 278 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 102 times
          Source: elevation_service.exe0.0.drStatic PE information: Number of sections : 12 > 10
          Source: elevation_service.exe.0.drStatic PE information: Number of sections : 12 > 10
          Source: Shipment Notification.exe, 00000000.00000003.2156569309.0000000004100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemaintenanceservice.exe0 vs Shipment Notification.exe
          Source: Shipment Notification.exe, 00000000.00000003.2087257484.0000000004010000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs Shipment Notification.exe
          Source: Shipment Notification.exe, 00000000.00000003.2091512162.0000000004010000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs Shipment Notification.exe
          Source: Shipment Notification.exe, 00000000.00000003.2156697482.000000000528D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment Notification.exe
          Source: Shipment Notification.exe, 00000000.00000003.2156444729.00000000050E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment Notification.exe
          Source: Shipment Notification.exe, 00000000.00000003.2111303633.00000000040F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs Shipment Notification.exe
          Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
          Source: Shipment Notification.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Shipment Notification.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: Shipment Notification.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@9/13@5/2
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Users\user\AppData\Roaming\b75dbea5ca02394b.binJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-b75dbea5ca02394b73779169-b
          Source: C:\Users\user\Desktop\Shipment Notification.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-b75dbea5ca02394b-inf
          Source: C:\Windows\System32\AppVClient.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-b75dbea5ca02394b9ea72c54-b
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Users\user\AppData\Local\Temp\aut21A4.tmpJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Shipment Notification.exeReversingLabs: Detection: 84%
          Source: unknownProcess created: C:\Users\user\Desktop\Shipment Notification.exe "C:\Users\user\Desktop\Shipment Notification.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
          Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
          Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
          Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
          Source: C:\Users\user\Desktop\Shipment Notification.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipment Notification.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
          Source: C:\Users\user\Desktop\Shipment Notification.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipment Notification.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
          Source: Shipment Notification.exeStatic file information: File size 1793536 > 1048576
          Source: Shipment Notification.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Shipment Notification.exe, 00000000.00000003.2087192387.0000000004010000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: Shipment Notification.exe, 00000000.00000003.2111119822.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: Shipment Notification.exe, 00000000.00000003.2091416659.0000000004010000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: Shipment Notification.exe, 00000000.00000003.2130135533.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: Shipment Notification.exe, 00000000.00000003.2111119822.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: PresentationFontCache.pdb source: Shipment Notification.exe, 00000000.00000003.2130135533.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb` source: Shipment Notification.exe, 00000000.00000003.2156206567.0000000004100000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: Shipment Notification.exe, 00000000.00000003.2157216427.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156697482.0000000005160000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156444729.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2456850135.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2414060188.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2411229837.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Shipment Notification.exe, 00000000.00000003.2157216427.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156697482.0000000005160000.00000004.00001000.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2156444729.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2456850135.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2414060188.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2411229837.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: Shipment Notification.exe, 00000000.00000003.2091416659.0000000004010000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: maintenanceservice.pdb source: Shipment Notification.exe, 00000000.00000003.2156206567.0000000004100000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
          Source: elevation_service.exe.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe.0.drStatic PE information: section name: malloc_h
          Source: maintenanceservice.exe.0.drStatic PE information: section name: .00cfg
          Source: maintenanceservice.exe.0.drStatic PE information: section name: .voltbl
          Source: maintenanceservice.exe.0.drStatic PE information: section name: _RDATA
          Source: armsvc.exe.0.drStatic PE information: section name: .didat
          Source: alg.exe.0.drStatic PE information: section name: .didat
          Source: FXSSVC.exe.0.drStatic PE information: section name: .didat
          Source: elevation_service.exe0.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe0.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe0.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe0.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe0.0.drStatic PE information: section name: malloc_h
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041B077 pushfd ; ret 12_2_0041B0EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041B0F1 pushfd ; ret 12_2_0041B0EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041F940 push esp; retf 12_2_0041F941
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004242BB push cs; retf 12_2_004242D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00422BB2 push ss; ret 12_2_00422BBA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00423C0A push 00000027h; iretd 12_2_00423C27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004164C3 push 66DEDC56h; retf 12_2_00416516
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00424C80 push esp; ret 12_2_00424C94
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00403540 push eax; ret 12_2_00403542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041F5E3 push edi; iretd 12_2_0041F5EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00423DBD push 3E4597ECh; iretd 12_2_00423DC2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00408666 pushfd ; iretd 12_2_00408668
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0042D6E3 push edi; iretd 12_2_0042D6EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004176E5 push eax; ret 12_2_004176E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039309AD push ecx; mov dword ptr [esp], ecx12_2_039309B6
          Source: Shipment Notification.exeStatic PE information: section name: .reloc entropy: 7.9380449238130035
          Source: elevation_service.exe.0.drStatic PE information: section name: .reloc entropy: 7.9528771188956195
          Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.943009026138499
          Source: FXSSVC.exe.0.drStatic PE information: section name: .reloc entropy: 7.9492810596057115
          Source: elevation_service.exe0.0.drStatic PE information: section name: .reloc entropy: 7.9507841144763205

          Persistence and Installation Behavior

          barindex
          Creates files in the system32 config directory
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\b75dbea5ca02394b.binJump to behavior
          Drops executable to a common third party application directory
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to behave differently if execute on a Russian/Kazak computer
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 7_2_00C352A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 11_2_009952A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 13_2_01A052A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 13_2_01A052A0
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Shipment Notification.exeAPI/Special instruction interceptor: Address: F36EF4
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: Shipment Notification.exe, 00000000.00000003.2085923933.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2086055594.0000000000D91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397096E rdtsc 12_2_0397096E
          Source: C:\Users\user\Desktop\Shipment Notification.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipment Notification.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-5783
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_13-5390
          Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-5683
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Users\user\Desktop\Shipment Notification.exe TID: 4320Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5732Thread sleep time: -30000s >= -30000sJump to behavior
          Source: AppVClient.exe, 00000007.00000003.2108722558.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2108780752.000000000050F000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000002.2119536117.0000000000511000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachineDM
          Source: Shipment Notification.exe, 00000000.00000003.2133279655.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2141921473.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2142474116.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2149855570.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2132844800.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2149855570.0000000000D52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Shipment Notification.exe, 00000000.00000003.2149855570.0000000000D3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397096E rdtsc 12_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00417D33 LdrLoadDll,12_2_00417D33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03928397 mov eax, dword ptr fs:[00000030h]12_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03928397 mov eax, dword ptr fs:[00000030h]12_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03928397 mov eax, dword ptr fs:[00000030h]12_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392E388 mov eax, dword ptr fs:[00000030h]12_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392E388 mov eax, dword ptr fs:[00000030h]12_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392E388 mov eax, dword ptr fs:[00000030h]12_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395438F mov eax, dword ptr fs:[00000030h]12_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395438F mov eax, dword ptr fs:[00000030h]12_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE3DB mov eax, dword ptr fs:[00000030h]12_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE3DB mov eax, dword ptr fs:[00000030h]12_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE3DB mov ecx, dword ptr fs:[00000030h]12_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE3DB mov eax, dword ptr fs:[00000030h]12_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D43D4 mov eax, dword ptr fs:[00000030h]12_2_039D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D43D4 mov eax, dword ptr fs:[00000030h]12_2_039D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EC3CD mov eax, dword ptr fs:[00000030h]12_2_039EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A3C0 mov eax, dword ptr fs:[00000030h]12_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A3C0 mov eax, dword ptr fs:[00000030h]12_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A3C0 mov eax, dword ptr fs:[00000030h]12_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A3C0 mov eax, dword ptr fs:[00000030h]12_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A3C0 mov eax, dword ptr fs:[00000030h]12_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A3C0 mov eax, dword ptr fs:[00000030h]12_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039383C0 mov eax, dword ptr fs:[00000030h]12_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039383C0 mov eax, dword ptr fs:[00000030h]12_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039383C0 mov eax, dword ptr fs:[00000030h]12_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039383C0 mov eax, dword ptr fs:[00000030h]12_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B63C0 mov eax, dword ptr fs:[00000030h]12_2_039B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E3F0 mov eax, dword ptr fs:[00000030h]12_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E3F0 mov eax, dword ptr fs:[00000030h]12_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E3F0 mov eax, dword ptr fs:[00000030h]12_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039663FF mov eax, dword ptr fs:[00000030h]12_2_039663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039403E9 mov eax, dword ptr fs:[00000030h]12_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392C310 mov ecx, dword ptr fs:[00000030h]12_2_0392C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03950310 mov ecx, dword ptr fs:[00000030h]12_2_03950310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A30B mov eax, dword ptr fs:[00000030h]12_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A30B mov eax, dword ptr fs:[00000030h]12_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A30B mov eax, dword ptr fs:[00000030h]12_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B035C mov eax, dword ptr fs:[00000030h]12_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B035C mov eax, dword ptr fs:[00000030h]12_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B035C mov eax, dword ptr fs:[00000030h]12_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B035C mov ecx, dword ptr fs:[00000030h]12_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B035C mov eax, dword ptr fs:[00000030h]12_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B035C mov eax, dword ptr fs:[00000030h]12_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FA352 mov eax, dword ptr fs:[00000030h]12_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D8350 mov ecx, dword ptr fs:[00000030h]12_2_039D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B2349 mov eax, dword ptr fs:[00000030h]12_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D437C mov eax, dword ptr fs:[00000030h]12_2_039D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E284 mov eax, dword ptr fs:[00000030h]12_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E284 mov eax, dword ptr fs:[00000030h]12_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B0283 mov eax, dword ptr fs:[00000030h]12_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B0283 mov eax, dword ptr fs:[00000030h]12_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B0283 mov eax, dword ptr fs:[00000030h]12_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039402A0 mov eax, dword ptr fs:[00000030h]12_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039402A0 mov eax, dword ptr fs:[00000030h]12_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C62A0 mov eax, dword ptr fs:[00000030h]12_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C62A0 mov ecx, dword ptr fs:[00000030h]12_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C62A0 mov eax, dword ptr fs:[00000030h]12_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C62A0 mov eax, dword ptr fs:[00000030h]12_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C62A0 mov eax, dword ptr fs:[00000030h]12_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C62A0 mov eax, dword ptr fs:[00000030h]12_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A2C3 mov eax, dword ptr fs:[00000030h]12_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A2C3 mov eax, dword ptr fs:[00000030h]12_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A2C3 mov eax, dword ptr fs:[00000030h]12_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A2C3 mov eax, dword ptr fs:[00000030h]12_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A2C3 mov eax, dword ptr fs:[00000030h]12_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039402E1 mov eax, dword ptr fs:[00000030h]12_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039402E1 mov eax, dword ptr fs:[00000030h]12_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039402E1 mov eax, dword ptr fs:[00000030h]12_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392823B mov eax, dword ptr fs:[00000030h]12_2_0392823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392A250 mov eax, dword ptr fs:[00000030h]12_2_0392A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936259 mov eax, dword ptr fs:[00000030h]12_2_03936259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B8243 mov eax, dword ptr fs:[00000030h]12_2_039B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B8243 mov ecx, dword ptr fs:[00000030h]12_2_039B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E0274 mov eax, dword ptr fs:[00000030h]12_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934260 mov eax, dword ptr fs:[00000030h]12_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934260 mov eax, dword ptr fs:[00000030h]12_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934260 mov eax, dword ptr fs:[00000030h]12_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392826B mov eax, dword ptr fs:[00000030h]12_2_0392826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B019F mov eax, dword ptr fs:[00000030h]12_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B019F mov eax, dword ptr fs:[00000030h]12_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B019F mov eax, dword ptr fs:[00000030h]12_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B019F mov eax, dword ptr fs:[00000030h]12_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392A197 mov eax, dword ptr fs:[00000030h]12_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392A197 mov eax, dword ptr fs:[00000030h]12_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392A197 mov eax, dword ptr fs:[00000030h]12_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03970185 mov eax, dword ptr fs:[00000030h]12_2_03970185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EC188 mov eax, dword ptr fs:[00000030h]12_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EC188 mov eax, dword ptr fs:[00000030h]12_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D4180 mov eax, dword ptr fs:[00000030h]12_2_039D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D4180 mov eax, dword ptr fs:[00000030h]12_2_039D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A061E5 mov eax, dword ptr fs:[00000030h]12_2_03A061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE1D0 mov eax, dword ptr fs:[00000030h]12_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE1D0 mov eax, dword ptr fs:[00000030h]12_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]12_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE1D0 mov eax, dword ptr fs:[00000030h]12_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE1D0 mov eax, dword ptr fs:[00000030h]12_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F61C3 mov eax, dword ptr fs:[00000030h]12_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F61C3 mov eax, dword ptr fs:[00000030h]12_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039601F8 mov eax, dword ptr fs:[00000030h]12_2_039601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DA118 mov ecx, dword ptr fs:[00000030h]12_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DA118 mov eax, dword ptr fs:[00000030h]12_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DA118 mov eax, dword ptr fs:[00000030h]12_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DA118 mov eax, dword ptr fs:[00000030h]12_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F0115 mov eax, dword ptr fs:[00000030h]12_2_039F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov eax, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov ecx, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov eax, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov eax, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov ecx, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov eax, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov eax, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov ecx, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov eax, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DE10E mov ecx, dword ptr fs:[00000030h]12_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03960124 mov eax, dword ptr fs:[00000030h]12_2_03960124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392C156 mov eax, dword ptr fs:[00000030h]12_2_0392C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C8158 mov eax, dword ptr fs:[00000030h]12_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936154 mov eax, dword ptr fs:[00000030h]12_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936154 mov eax, dword ptr fs:[00000030h]12_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C4144 mov eax, dword ptr fs:[00000030h]12_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C4144 mov eax, dword ptr fs:[00000030h]12_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C4144 mov ecx, dword ptr fs:[00000030h]12_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C4144 mov eax, dword ptr fs:[00000030h]12_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C4144 mov eax, dword ptr fs:[00000030h]12_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393208A mov eax, dword ptr fs:[00000030h]12_2_0393208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F60B8 mov eax, dword ptr fs:[00000030h]12_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F60B8 mov ecx, dword ptr fs:[00000030h]12_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C80A8 mov eax, dword ptr fs:[00000030h]12_2_039C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B20DE mov eax, dword ptr fs:[00000030h]12_2_039B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392C0F0 mov eax, dword ptr fs:[00000030h]12_2_0392C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039720F0 mov ecx, dword ptr fs:[00000030h]12_2_039720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]12_2_0392A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039380E9 mov eax, dword ptr fs:[00000030h]12_2_039380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B60E0 mov eax, dword ptr fs:[00000030h]12_2_039B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E016 mov eax, dword ptr fs:[00000030h]12_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E016 mov eax, dword ptr fs:[00000030h]12_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E016 mov eax, dword ptr fs:[00000030h]12_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E016 mov eax, dword ptr fs:[00000030h]12_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B4000 mov ecx, dword ptr fs:[00000030h]12_2_039B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D2000 mov eax, dword ptr fs:[00000030h]12_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C6030 mov eax, dword ptr fs:[00000030h]12_2_039C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392A020 mov eax, dword ptr fs:[00000030h]12_2_0392A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392C020 mov eax, dword ptr fs:[00000030h]12_2_0392C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932050 mov eax, dword ptr fs:[00000030h]12_2_03932050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6050 mov eax, dword ptr fs:[00000030h]12_2_039B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395C073 mov eax, dword ptr fs:[00000030h]12_2_0395C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D678E mov eax, dword ptr fs:[00000030h]12_2_039D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039307AF mov eax, dword ptr fs:[00000030h]12_2_039307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E47A0 mov eax, dword ptr fs:[00000030h]12_2_039E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393C7C0 mov eax, dword ptr fs:[00000030h]12_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B07C3 mov eax, dword ptr fs:[00000030h]12_2_039B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039347FB mov eax, dword ptr fs:[00000030h]12_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039347FB mov eax, dword ptr fs:[00000030h]12_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039527ED mov eax, dword ptr fs:[00000030h]12_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039527ED mov eax, dword ptr fs:[00000030h]12_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039527ED mov eax, dword ptr fs:[00000030h]12_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BE7E1 mov eax, dword ptr fs:[00000030h]12_2_039BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930710 mov eax, dword ptr fs:[00000030h]12_2_03930710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03960710 mov eax, dword ptr fs:[00000030h]12_2_03960710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C700 mov eax, dword ptr fs:[00000030h]12_2_0396C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396273C mov eax, dword ptr fs:[00000030h]12_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396273C mov ecx, dword ptr fs:[00000030h]12_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396273C mov eax, dword ptr fs:[00000030h]12_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AC730 mov eax, dword ptr fs:[00000030h]12_2_039AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C720 mov eax, dword ptr fs:[00000030h]12_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C720 mov eax, dword ptr fs:[00000030h]12_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930750 mov eax, dword ptr fs:[00000030h]12_2_03930750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BE75D mov eax, dword ptr fs:[00000030h]12_2_039BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972750 mov eax, dword ptr fs:[00000030h]12_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972750 mov eax, dword ptr fs:[00000030h]12_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B4755 mov eax, dword ptr fs:[00000030h]12_2_039B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396674D mov esi, dword ptr fs:[00000030h]12_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396674D mov eax, dword ptr fs:[00000030h]12_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396674D mov eax, dword ptr fs:[00000030h]12_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938770 mov eax, dword ptr fs:[00000030h]12_2_03938770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940770 mov eax, dword ptr fs:[00000030h]12_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934690 mov eax, dword ptr fs:[00000030h]12_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934690 mov eax, dword ptr fs:[00000030h]12_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039666B0 mov eax, dword ptr fs:[00000030h]12_2_039666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C6A6 mov eax, dword ptr fs:[00000030h]12_2_0396C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]12_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A6C7 mov eax, dword ptr fs:[00000030h]12_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE6F2 mov eax, dword ptr fs:[00000030h]12_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE6F2 mov eax, dword ptr fs:[00000030h]12_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE6F2 mov eax, dword ptr fs:[00000030h]12_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE6F2 mov eax, dword ptr fs:[00000030h]12_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B06F1 mov eax, dword ptr fs:[00000030h]12_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B06F1 mov eax, dword ptr fs:[00000030h]12_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03972619 mov eax, dword ptr fs:[00000030h]12_2_03972619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE609 mov eax, dword ptr fs:[00000030h]12_2_039AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394260B mov eax, dword ptr fs:[00000030h]12_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394E627 mov eax, dword ptr fs:[00000030h]12_2_0394E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03966620 mov eax, dword ptr fs:[00000030h]12_2_03966620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03968620 mov eax, dword ptr fs:[00000030h]12_2_03968620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393262C mov eax, dword ptr fs:[00000030h]12_2_0393262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394C640 mov eax, dword ptr fs:[00000030h]12_2_0394C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03962674 mov eax, dword ptr fs:[00000030h]12_2_03962674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F866E mov eax, dword ptr fs:[00000030h]12_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F866E mov eax, dword ptr fs:[00000030h]12_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A660 mov eax, dword ptr fs:[00000030h]12_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A660 mov eax, dword ptr fs:[00000030h]12_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E59C mov eax, dword ptr fs:[00000030h]12_2_0396E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932582 mov eax, dword ptr fs:[00000030h]12_2_03932582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932582 mov ecx, dword ptr fs:[00000030h]12_2_03932582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03964588 mov eax, dword ptr fs:[00000030h]12_2_03964588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039545B1 mov eax, dword ptr fs:[00000030h]12_2_039545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039545B1 mov eax, dword ptr fs:[00000030h]12_2_039545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B05A7 mov eax, dword ptr fs:[00000030h]12_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B05A7 mov eax, dword ptr fs:[00000030h]12_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B05A7 mov eax, dword ptr fs:[00000030h]12_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039365D0 mov eax, dword ptr fs:[00000030h]12_2_039365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A5D0 mov eax, dword ptr fs:[00000030h]12_2_0396A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A5D0 mov eax, dword ptr fs:[00000030h]12_2_0396A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E5CF mov eax, dword ptr fs:[00000030h]12_2_0396E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E5CF mov eax, dword ptr fs:[00000030h]12_2_0396E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E5E7 mov eax, dword ptr fs:[00000030h]12_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039325E0 mov eax, dword ptr fs:[00000030h]12_2_039325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C5ED mov eax, dword ptr fs:[00000030h]12_2_0396C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C5ED mov eax, dword ptr fs:[00000030h]12_2_0396C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C6500 mov eax, dword ptr fs:[00000030h]12_2_039C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04500 mov eax, dword ptr fs:[00000030h]12_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940535 mov eax, dword ptr fs:[00000030h]12_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940535 mov eax, dword ptr fs:[00000030h]12_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940535 mov eax, dword ptr fs:[00000030h]12_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940535 mov eax, dword ptr fs:[00000030h]12_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940535 mov eax, dword ptr fs:[00000030h]12_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940535 mov eax, dword ptr fs:[00000030h]12_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E53E mov eax, dword ptr fs:[00000030h]12_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E53E mov eax, dword ptr fs:[00000030h]12_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E53E mov eax, dword ptr fs:[00000030h]12_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E53E mov eax, dword ptr fs:[00000030h]12_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E53E mov eax, dword ptr fs:[00000030h]12_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938550 mov eax, dword ptr fs:[00000030h]12_2_03938550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938550 mov eax, dword ptr fs:[00000030h]12_2_03938550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396656A mov eax, dword ptr fs:[00000030h]12_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396656A mov eax, dword ptr fs:[00000030h]12_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396656A mov eax, dword ptr fs:[00000030h]12_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039644B0 mov ecx, dword ptr fs:[00000030h]12_2_039644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BA4B0 mov eax, dword ptr fs:[00000030h]12_2_039BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039364AB mov eax, dword ptr fs:[00000030h]12_2_039364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039304E5 mov ecx, dword ptr fs:[00000030h]12_2_039304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03968402 mov eax, dword ptr fs:[00000030h]12_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03968402 mov eax, dword ptr fs:[00000030h]12_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03968402 mov eax, dword ptr fs:[00000030h]12_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A430 mov eax, dword ptr fs:[00000030h]12_2_0396A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392E420 mov eax, dword ptr fs:[00000030h]12_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392E420 mov eax, dword ptr fs:[00000030h]12_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392E420 mov eax, dword ptr fs:[00000030h]12_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392C427 mov eax, dword ptr fs:[00000030h]12_2_0392C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B6420 mov eax, dword ptr fs:[00000030h]12_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392645D mov eax, dword ptr fs:[00000030h]12_2_0392645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395245A mov eax, dword ptr fs:[00000030h]12_2_0395245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396E443 mov eax, dword ptr fs:[00000030h]12_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395A470 mov eax, dword ptr fs:[00000030h]12_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395A470 mov eax, dword ptr fs:[00000030h]12_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395A470 mov eax, dword ptr fs:[00000030h]12_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BC460 mov ecx, dword ptr fs:[00000030h]12_2_039BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940BBE mov eax, dword ptr fs:[00000030h]12_2_03940BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940BBE mov eax, dword ptr fs:[00000030h]12_2_03940BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4BB0 mov eax, dword ptr fs:[00000030h]12_2_039E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4BB0 mov eax, dword ptr fs:[00000030h]12_2_039E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DEBD0 mov eax, dword ptr fs:[00000030h]12_2_039DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03950BCB mov eax, dword ptr fs:[00000030h]12_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03950BCB mov eax, dword ptr fs:[00000030h]12_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03950BCB mov eax, dword ptr fs:[00000030h]12_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930BCD mov eax, dword ptr fs:[00000030h]12_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930BCD mov eax, dword ptr fs:[00000030h]12_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930BCD mov eax, dword ptr fs:[00000030h]12_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938BF0 mov eax, dword ptr fs:[00000030h]12_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938BF0 mov eax, dword ptr fs:[00000030h]12_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938BF0 mov eax, dword ptr fs:[00000030h]12_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395EBFC mov eax, dword ptr fs:[00000030h]12_2_0395EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BCBF0 mov eax, dword ptr fs:[00000030h]12_2_039BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AEB1D mov eax, dword ptr fs:[00000030h]12_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395EB20 mov eax, dword ptr fs:[00000030h]12_2_0395EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395EB20 mov eax, dword ptr fs:[00000030h]12_2_0395EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F8B28 mov eax, dword ptr fs:[00000030h]12_2_039F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F8B28 mov eax, dword ptr fs:[00000030h]12_2_039F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DEB50 mov eax, dword ptr fs:[00000030h]12_2_039DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4B4B mov eax, dword ptr fs:[00000030h]12_2_039E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4B4B mov eax, dword ptr fs:[00000030h]12_2_039E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C6B40 mov eax, dword ptr fs:[00000030h]12_2_039C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C6B40 mov eax, dword ptr fs:[00000030h]12_2_039C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FAB40 mov eax, dword ptr fs:[00000030h]12_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D8B42 mov eax, dword ptr fs:[00000030h]12_2_039D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392CB7E mov eax, dword ptr fs:[00000030h]12_2_0392CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03968A90 mov edx, dword ptr fs:[00000030h]12_2_03968A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393EA80 mov eax, dword ptr fs:[00000030h]12_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04A80 mov eax, dword ptr fs:[00000030h]12_2_03A04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938AA0 mov eax, dword ptr fs:[00000030h]12_2_03938AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938AA0 mov eax, dword ptr fs:[00000030h]12_2_03938AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03986AA4 mov eax, dword ptr fs:[00000030h]12_2_03986AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930AD0 mov eax, dword ptr fs:[00000030h]12_2_03930AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03964AD0 mov eax, dword ptr fs:[00000030h]12_2_03964AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03964AD0 mov eax, dword ptr fs:[00000030h]12_2_03964AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03986ACC mov eax, dword ptr fs:[00000030h]12_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03986ACC mov eax, dword ptr fs:[00000030h]12_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03986ACC mov eax, dword ptr fs:[00000030h]12_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396AAEE mov eax, dword ptr fs:[00000030h]12_2_0396AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396AAEE mov eax, dword ptr fs:[00000030h]12_2_0396AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BCA11 mov eax, dword ptr fs:[00000030h]12_2_039BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03954A35 mov eax, dword ptr fs:[00000030h]12_2_03954A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03954A35 mov eax, dword ptr fs:[00000030h]12_2_03954A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396CA38 mov eax, dword ptr fs:[00000030h]12_2_0396CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396CA24 mov eax, dword ptr fs:[00000030h]12_2_0396CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395EA2E mov eax, dword ptr fs:[00000030h]12_2_0395EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03936A50 mov eax, dword ptr fs:[00000030h]12_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940A5B mov eax, dword ptr fs:[00000030h]12_2_03940A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03940A5B mov eax, dword ptr fs:[00000030h]12_2_03940A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039ACA72 mov eax, dword ptr fs:[00000030h]12_2_039ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039ACA72 mov eax, dword ptr fs:[00000030h]12_2_039ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396CA6F mov eax, dword ptr fs:[00000030h]12_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396CA6F mov eax, dword ptr fs:[00000030h]12_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396CA6F mov eax, dword ptr fs:[00000030h]12_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DEA60 mov eax, dword ptr fs:[00000030h]12_2_039DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B89B3 mov esi, dword ptr fs:[00000030h]12_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B89B3 mov eax, dword ptr fs:[00000030h]12_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B89B3 mov eax, dword ptr fs:[00000030h]12_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039429A0 mov eax, dword ptr fs:[00000030h]12_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039309AD mov eax, dword ptr fs:[00000030h]12_2_039309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039309AD mov eax, dword ptr fs:[00000030h]12_2_039309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A9D0 mov eax, dword ptr fs:[00000030h]12_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A9D0 mov eax, dword ptr fs:[00000030h]12_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A9D0 mov eax, dword ptr fs:[00000030h]12_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A9D0 mov eax, dword ptr fs:[00000030h]12_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A9D0 mov eax, dword ptr fs:[00000030h]12_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393A9D0 mov eax, dword ptr fs:[00000030h]12_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039649D0 mov eax, dword ptr fs:[00000030h]12_2_039649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FA9D3 mov eax, dword ptr fs:[00000030h]12_2_039FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C69C0 mov eax, dword ptr fs:[00000030h]12_2_039C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039629F9 mov eax, dword ptr fs:[00000030h]12_2_039629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039629F9 mov eax, dword ptr fs:[00000030h]12_2_039629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BE9E0 mov eax, dword ptr fs:[00000030h]12_2_039BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BC912 mov eax, dword ptr fs:[00000030h]12_2_039BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03928918 mov eax, dword ptr fs:[00000030h]12_2_03928918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03928918 mov eax, dword ptr fs:[00000030h]12_2_03928918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE908 mov eax, dword ptr fs:[00000030h]12_2_039AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039AE908 mov eax, dword ptr fs:[00000030h]12_2_039AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B892A mov eax, dword ptr fs:[00000030h]12_2_039B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C892B mov eax, dword ptr fs:[00000030h]12_2_039C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039B0946 mov eax, dword ptr fs:[00000030h]12_2_039B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D4978 mov eax, dword ptr fs:[00000030h]12_2_039D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D4978 mov eax, dword ptr fs:[00000030h]12_2_039D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BC97C mov eax, dword ptr fs:[00000030h]12_2_039BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03956962 mov eax, dword ptr fs:[00000030h]12_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03956962 mov eax, dword ptr fs:[00000030h]12_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03956962 mov eax, dword ptr fs:[00000030h]12_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397096E mov eax, dword ptr fs:[00000030h]12_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397096E mov edx, dword ptr fs:[00000030h]12_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397096E mov eax, dword ptr fs:[00000030h]12_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BC89D mov eax, dword ptr fs:[00000030h]12_2_039BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03930887 mov eax, dword ptr fs:[00000030h]12_2_03930887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395E8C0 mov eax, dword ptr fs:[00000030h]12_2_0395E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C8F9 mov eax, dword ptr fs:[00000030h]12_2_0396C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396C8F9 mov eax, dword ptr fs:[00000030h]12_2_0396C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FA8E4 mov eax, dword ptr fs:[00000030h]12_2_039FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BC810 mov eax, dword ptr fs:[00000030h]12_2_039BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952835 mov eax, dword ptr fs:[00000030h]12_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952835 mov eax, dword ptr fs:[00000030h]12_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952835 mov eax, dword ptr fs:[00000030h]12_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952835 mov ecx, dword ptr fs:[00000030h]12_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952835 mov eax, dword ptr fs:[00000030h]12_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952835 mov eax, dword ptr fs:[00000030h]12_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A830 mov eax, dword ptr fs:[00000030h]12_2_0396A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D483A mov eax, dword ptr fs:[00000030h]12_2_039D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D483A mov eax, dword ptr fs:[00000030h]12_2_039D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03960854 mov eax, dword ptr fs:[00000030h]12_2_03960854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934859 mov eax, dword ptr fs:[00000030h]12_2_03934859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03934859 mov eax, dword ptr fs:[00000030h]12_2_03934859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03942840 mov ecx, dword ptr fs:[00000030h]12_2_03942840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BE872 mov eax, dword ptr fs:[00000030h]12_2_039BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039BE872 mov eax, dword ptr fs:[00000030h]12_2_039BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C6870 mov eax, dword ptr fs:[00000030h]12_2_039C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039C6870 mov eax, dword ptr fs:[00000030h]12_2_039C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03962F98 mov eax, dword ptr fs:[00000030h]12_2_03962F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03962F98 mov eax, dword ptr fs:[00000030h]12_2_03962F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396CF80 mov eax, dword ptr fs:[00000030h]12_2_0396CF80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03A04FE7 mov eax, dword ptr fs:[00000030h]12_2_03A04FE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392EFD8 mov eax, dword ptr fs:[00000030h]12_2_0392EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392EFD8 mov eax, dword ptr fs:[00000030h]12_2_0392EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392EFD8 mov eax, dword ptr fs:[00000030h]12_2_0392EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932FC8 mov eax, dword ptr fs:[00000030h]12_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932FC8 mov eax, dword ptr fs:[00000030h]12_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932FC8 mov eax, dword ptr fs:[00000030h]12_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03932FC8 mov eax, dword ptr fs:[00000030h]12_2_03932FC8
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Shipment Notification.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Shipment Notification.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FF5008Jump to behavior
          Source: C:\Users\user\Desktop\Shipment Notification.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipment Notification.exe"Jump to behavior
          Source: Shipment Notification.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\Shipment Notification.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST321F.tmp VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST325E.tmp VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00C50080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,7_2_00C50080

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2456776187.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2456776187.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		2
          LSASS Driver          		212
          Process Injection          		222
          Masquerading          		OS Credential Dumping321
          Security Software Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		2
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          LSASS Driver          		212
          Process Injection          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		NTDS1
          Account Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Abuse Elevation Control Mechanism          		LSA Secrets1
          System Owner/User Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information          		Cached Domain Credentials111
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Timestomp          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573129 Sample: Shipment Notification.exe Startdate: 11/12/2024 Architecture: WINDOWS Score: 100 28 zlenh.biz 2->28 30 vcddkls.biz 2->30 32 4 other IPs or domains 2->32 38 Suricata IDS alerts for network traffic 2->38 40 Antivirus detection for URL or domain 2->40 42 Antivirus detection for dropped file 2->42 44 9 other signatures 2->44 7 Shipment Notification.exe 3 2->7         started        12 AppVClient.exe 1 2->12         started        14 FXSSVC.exe 15 4 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 34 vcddkls.biz 18.141.10.107, 49706, 49707, 49740 AMAZON-02US United States 7->34 36 pywolwnvd.biz 54.244.188.177, 49704, 49705, 49708 AMAZON-02US United States 7->36 20 C:\Windows\System32\alg.exe, PE32+ 7->20 dropped 22 C:\Windows\System32\FXSSVC.exe, PE32+ 7->22 dropped 24 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 7->24 dropped 26 5 other malicious files 7->26 dropped 46 Binary is likely a compiled AutoIt script file 7->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->48 50 Writes to foreign memory regions 7->50 62 3 other signatures 7->62 18 svchost.exe 7->18         started        52 Antivirus detection for dropped file 12->52 54 Creates files in the system32 config directory 12->54 56 Machine Learning detection for dropped file 12->56 58 Contains functionality to behave differently if execute on a Russian/Kazak computer 12->58 60 Found direct / indirect Syscall (likely to bypass EDR) 16->60 file6 signatures7 process8

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Shipment Notification.exe84%ReversingLabsWin32.Virus.Expiro
          Shipment Notification.exe100%AviraW32/Infector.Gen
          Shipment Notification.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\FXSSVC.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%Joe Sandbox ML
          C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\FXSSVC.exe100%Joe Sandbox ML
          C:\Windows\System32\alg.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://18.141.10.107:80/odsonv0%Avira URL Cloudsafe
          http://18.141.10.107/odsonv0%Avira URL Cloudsafe
          http://54.244.188.177:80/wqjbkdjiyp0%Avira URL Cloudsafe
          http://54.244.188.177/00%Avira URL Cloudsafe
          http://54.244.188.177/L100%Avira URL Cloudphishing
          http://54.244.188.177/5a0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ssbzmoy.biz
          		18.141.10.107
          		truefalse
            		high
            pywolwnvd.biz
            		54.244.188.177
            		truefalse
              		high
              vcddkls.biz
              		18.141.10.107
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://ssbzmoy.biz/ifrlysutnhlrfalse
                  		high
                  http://pywolwnvd.biz/wqjbkdjiyfalse
                    		high
                    http://knjghuig.biz/hsyjdjsftfdjffalse
                      		high
                      http://ssbzmoy.biz/odsonvfalse
                        		high
                        http://pywolwnvd.biz/nufalse
                          		high
                          http://cvgrf.biz/pmfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithelevation_service.exe.0.drfalse
                              		high
                              http://18.141.10.107:80/odsonvShipment Notification.exe, 00000000.00000003.2149855570.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://54.244.188.177/5aShipment Notification.exe, 00000000.00000003.2113341449.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112354159.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2113577723.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112582816.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112960416.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://54.244.188.177:80/wqjbkdjiypShipment Notification.exe, 00000000.00000003.2118599789.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2127230929.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2126770354.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2125994169.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2127641557.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2121538826.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2123927792.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2118279910.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2116094406.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2125659450.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2115519146.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2120542765.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2120325191.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2131962281.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2123625602.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2116322387.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2122485322.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2116981590.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2117142679.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2115175743.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2115913651.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://18.141.10.107/odsonvShipment Notification.exe, 00000000.00000003.2143398750.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2144728878.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2143080369.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2145184802.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2142746119.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://54.244.188.177/LShipment Notification.exe, 00000000.00000003.2113341449.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112354159.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2113577723.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112582816.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Shipment Notification.exe, 00000000.00000003.2112960416.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffelevation_service.exe.0.drfalse
                                		high
                                http://18.141.10.107/Shipment Notification.exe, 00000000.00000003.2149855570.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://54.244.188.177/0Shipment Notification.exe, 00000000.00000003.2112960416.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  54.244.188.177
                                  		pywolwnvd.bizUnited States
                                  		16509AMAZON-02USfalse
                                  18.141.10.107
                                  		ssbzmoy.bizUnited States
                                  		16509AMAZON-02USfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1573129
                                  Start date and time:2024-12-11 15:08:08 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 42s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:13
                                  Number of new started drivers analysed:3
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Shipment Notification.exe
                                  Detection:MAL
                                  Classification:mal100.spre.troj.expl.evad.winEXE@9/13@5/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 73%
                                  • Number of executed functions: 42
                                  • Number of non-executed functions: 264
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                  • Excluded domains from analysis (whitelisted): przvgke.biz, zlenh.biz, otelrules.azureedge.net, slscr.update.microsoft.com, knjghuig.biz, vjaxhpbji.biz, ctldl.windowsupdate.com, ifsaia.biz, uhxqin.biz, fe3cr.delivery.mp.microsoft.com, ww12.przvgke.biz, cvgrf.biz, ww99.przvgke.biz, ocsp.digicert.com, lpuegx.biz, saytjshyf.biz, xlfhhhm.biz, npukfztj.biz, anpmnmxo.biz
                                  • VT rate limit hit for: Shipment Notification.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  09:09:07API Interceptor1x Sleep call for process: Shipment Notification.exe modified
                                  09:09:37API Interceptor3x Sleep call for process: svchost.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  54.244.188.177HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • cvgrf.biz/yfypviummaqwyuq
                                  MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                  • pywolwnvd.biz/usxsp
                                  Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                  • cvgrf.biz/iropyruplkan
                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • cvgrf.biz/hfsfqfqbrwib
                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                  • cvgrf.biz/npdqgsoqmq
                                  RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                  • cvgrf.biz/rtjcy
                                  OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                  • pywolwnvd.biz/hemfkj
                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • pywolwnvd.biz/nwqf
                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • cvgrf.biz/yqmdwhskkjhif
                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                  • lrxdmhrr.biz/tgcwttfqletfhyq
                                  18.141.10.107HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • vcddkls.biz/lqpvpf
                                  Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                  • vcddkls.biz/ytpebbldheutao
                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • vcddkls.biz/ymdlhl
                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                  • knjghuig.biz/jedofahyn
                                  RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                  • vcddkls.biz/gepvpveyhkiwwmj
                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • vcddkls.biz/kf
                                  RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • ssbzmoy.biz/j
                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • ssbzmoy.biz/kokmvod
                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                  • acwjcqqv.biz/tgcwttfqletfhyq
                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • eufxebus.biz/dw

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ssbzmoy.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • 18.141.10.107
                                  Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                  • 18.141.10.107
                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • 18.141.10.107
                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                  • 18.141.10.107
                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                  • 18.141.10.107
                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  vcddkls.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • 18.141.10.107
                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • 18.141.10.107
                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                  • 18.141.10.107
                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                  • 18.141.10.107
                                  PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 18.141.10.107
                                  IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                  • 18.141.10.107
                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                  • 18.141.10.107
                                  pywolwnvd.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • 54.244.188.177
                                  MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                  • 54.244.188.177
                                  Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                  • 54.244.188.177
                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                  • 54.244.188.177
                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                  • 54.244.188.177
                                  RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                  • 54.244.188.177
                                  OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                  • 54.244.188.177
                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 54.244.188.177
                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                  • 54.244.188.177

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-02UShttps://drive.google.com/uc?export=download&id=1exrW4eArCFn4rWRiZm-_Z8vKtyu_rwNwGet hashmaliciousHTMLPhisherBrowse
                                  • 13.227.2.22
                                  Message_2713712.emlGet hashmaliciousUnknownBrowse
                                  • 34.253.40.242
                                  https://t.ly/me-ZSGet hashmaliciousUnknownBrowse
                                  • 54.186.23.98
                                  https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.htmlGet hashmaliciousUnknownBrowse
                                  • 54.183.66.131
                                  https://app.droplet.io/form/yBW3QNGet hashmaliciousUnknownBrowse
                                  • 3.23.93.108
                                  https://hdtodayz.to/movie/watch-the-shawshank-redemption-hd-19679Get hashmaliciousHTMLPhisherBrowse
                                  • 13.227.8.55
                                  https://bdigoelveraf34.pages.dev/?yfg=qjexfopxr&psa=Virginia.Kisieliute@foster-gamko.comGet hashmaliciousHTMLPhisherBrowse
                                  • 3.160.188.105
                                  message__86_4F_17774_8082F476_ccg01mail04_.emlGet hashmaliciousUnknownBrowse
                                  • 13.227.8.8
                                  invoice09850.xlsGet hashmaliciousRemcosBrowse
                                  • 54.150.207.131
                                  Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                  • 54.150.207.131
                                  AMAZON-02UShttps://drive.google.com/uc?export=download&id=1exrW4eArCFn4rWRiZm-_Z8vKtyu_rwNwGet hashmaliciousHTMLPhisherBrowse
                                  • 13.227.2.22
                                  Message_2713712.emlGet hashmaliciousUnknownBrowse
                                  • 34.253.40.242
                                  https://t.ly/me-ZSGet hashmaliciousUnknownBrowse
                                  • 54.186.23.98
                                  https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.htmlGet hashmaliciousUnknownBrowse
                                  • 54.183.66.131
                                  https://app.droplet.io/form/yBW3QNGet hashmaliciousUnknownBrowse
                                  • 3.23.93.108
                                  https://hdtodayz.to/movie/watch-the-shawshank-redemption-hd-19679Get hashmaliciousHTMLPhisherBrowse
                                  • 13.227.8.55
                                  https://bdigoelveraf34.pages.dev/?yfg=qjexfopxr&psa=Virginia.Kisieliute@foster-gamko.comGet hashmaliciousHTMLPhisherBrowse
                                  • 3.160.188.105
                                  message__86_4F_17774_8082F476_ccg01mail04_.emlGet hashmaliciousUnknownBrowse
                                  • 13.227.8.8
                                  invoice09850.xlsGet hashmaliciousRemcosBrowse
                                  • 54.150.207.131
                                  Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                  • 54.150.207.131

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1658880
                                  Entropy (8bit):4.312996478921952
                                  Encrypted:false
                                  SSDEEP:24576:0xGBcmlRVg9N9JMlDlfjRiVuVsWt5MJMs:gGy+bgFIDRRAubt5M
                                  MD5:8F45A42A43A3B47A199D0B5346E419EB
                                  SHA1:08E0F0067B6DFC4E87B748C7FE7106D441672496
                                  SHA-256:E56507E9C9FA72EF57D20FAA3AB206075DCF5A33A8750114530CF527F62E0ED5
                                  SHA-512:4909F2A4BA22D02AB23D410F5A70C1556AC9501827C6D28078E8B08EBBDD236AA075C5795426B15C992497F250F4730B20523E68586EDE5E1CA35A12844ACFB6
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................\......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):2354176
                                  Entropy (8bit):7.049195616820218
                                  Encrypted:false
                                  SSDEEP:49152:fhDdVrQ95RW0YEHyWQXE/09Val0G9gFIDRRAubt5M:fhHYW+HyWKhUf
                                  MD5:ABA75CE67151B4E7CE468B1889A81F1C
                                  SHA1:D2CC1879D6C9F8E014AD39DBA52607178970DDBA
                                  SHA-256:2B5157BF6628240442F7107448DC1EFBF6064BC71B7470F6433ED17B4349C84C
                                  SHA-512:1C4178A35C0FAF968A7A445FE21121E2653459173EFBC6E034B8F737135ECB03A66FF45F0861205BA893C2D2347FF88DA0848E4A34840054B7A986D506ADF92E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Reputation:low
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                  C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                  Download File
                                  Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):3141
                                  Entropy (8bit):4.8287906164717675
                                  Encrypted:false
                                  SSDEEP:48:m0850F020j0hj0A0ZR00KA0F0KmX0o20V0m0F0W0U0K10Oo03a0Kk0Kt0I0a0+0h:nGxXwr8
                                  MD5:5E03A708D82FCBABDA3C3763FB402005
                                  SHA1:3C671F989FC10ED5E51ED4B3F6041C0761860354
                                  SHA-256:BCF90727B0B9AE0C4F2924145C05A641FFBE8B10EE52A23CF4B7DE1415489B8F
                                  SHA-512:E6E6CDDFA87996BFC147097D730D621571279C0DC810AA53144B84CBB31F44DC705166F25B21F1B356FC3748A6234505AA2DD148BBDFD57F805258CBCF187AD6
                                  Malicious:false
                                  Reputation:low
                                  Preview:2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-11 09:09:10-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-11 09:09:10-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-11 09:09:10-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-11 09:09:1

                                  C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:modified
                                  Size (bytes):1725440
                                  Entropy (8bit):4.412516227639477
                                  Encrypted:false
                                  SSDEEP:24576:+QVTZu0JRVg9N9JMlDlfjRiVuVsWt5MJMs:lVTZu8gFIDRRAubt5M
                                  MD5:E010C33CCF44CC658E6BE30DD8099ED5
                                  SHA1:ED05FD7DDC5683EA1234AC1DE41A6D5C1FCCBF7A
                                  SHA-256:78E464F8F01DA06E9C072EC44BC055C378A9279AC5440D88B7A411E1EBBDC0E4
                                  SHA-512:E2E6DFC3F8893CC2655180F09E68830660828D4D11BB55C4589B0EAA1D7D4953C3B6CE3A65EB8F46C0EA4F1ED900DEC9B8FF05C8FBB3033885DB5D4299B6B9BA
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Reputation:low
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.....................................y.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..............@...........................................................................................................................................................................................................................

                                  C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):2370560
                                  Entropy (8bit):7.0315466210794835
                                  Encrypted:false
                                  SSDEEP:49152:YAMsOu3JfCIGnZuTodRFYKBrFDbWpvgFIDRRAubt5M:YAMa38ZuTSlUf
                                  MD5:288F70AAB34D43E51004176A212BFC64
                                  SHA1:71F18768CA46FF8A14EB3F042EF0801A89A9253E
                                  SHA-256:150DD49BBA30F85DBBAF06E3764DCFC7DC0326C12F641E2E78650C911D9C4FC2
                                  SHA-512:6E7E3A31CD004806BCA4EEB65E269C4C6A86BBE26AB5D5E02639959ED855FDB67F964149F05B116C43F4697F99C6CF0DDEA2CB607CDC79CE27DF9256DCDC7D1F
                                  Malicious:true
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%.......$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\aut21A4.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):288768
                                  Entropy (8bit):7.994767292626713
                                  Encrypted:true
                                  SSDEEP:6144:Q5wZsUOUqP5Yk9107kvrtgCRCdFz2Y6H0qfUec+xCX4YozB/:Q58BqP5V107kvmCwOHVHcezzB/
                                  MD5:26C4D4015BB5C958DFF4EF03D5A3BDA5
                                  SHA1:C18EEDFB4811FEABCDF85D9585035FBDD08BF119
                                  SHA-256:CB25D0682A8BFEC4EFE7FA36BE462F21E616F431A6CC81CC3BF72A32A436D905
                                  SHA-512:93C819C2B79B7CDB9C0C9653101109FB6238A74E2F8EFB7FA0928D1A6FF964BF54D1CDE897DEE1B1361E0255D6C8D9C5B8537D3F5552AB21B2D296C1DA9BF4D3
                                  Malicious:false
                                  Preview:...UVLW34YUD..A8.2DGJH9U.LW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DG.H9U[S.=0.\.o.@t.../#;.%'#0AQ4u'/#/W-.&"j:L;u%9.t..d#"%]w?IMnH9UULW3IX\.s-&.dR#.w(^.O....92.T...eR#.P.i,0.b06,s-&.Y2DGJH9U..W3|XTD..dnY2DGJH9U.LU2;X^DN.E8Y2DGJH9UUYW30IUDN=E8Y2.GJX9UUNW36YUDNMA8_2DGJH9UU<S30[UDNMA8[2..JH)UU\W30YEDN]A8Y2DGZH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUD`9$@-2DG..=UU\W30.QDN]A8Y2DGJH9UULW3.YU$NMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DG

                                  C:\Users\user\AppData\Local\Temp\peristeronic

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):288768
                                  Entropy (8bit):7.994767292626713
                                  Encrypted:true
                                  SSDEEP:6144:Q5wZsUOUqP5Yk9107kvrtgCRCdFz2Y6H0qfUec+xCX4YozB/:Q58BqP5V107kvmCwOHVHcezzB/
                                  MD5:26C4D4015BB5C958DFF4EF03D5A3BDA5
                                  SHA1:C18EEDFB4811FEABCDF85D9585035FBDD08BF119
                                  SHA-256:CB25D0682A8BFEC4EFE7FA36BE462F21E616F431A6CC81CC3BF72A32A436D905
                                  SHA-512:93C819C2B79B7CDB9C0C9653101109FB6238A74E2F8EFB7FA0928D1A6FF964BF54D1CDE897DEE1B1361E0255D6C8D9C5B8537D3F5552AB21B2D296C1DA9BF4D3
                                  Malicious:false
                                  Preview:...UVLW34YUD..A8.2DGJH9U.LW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DG.H9U[S.=0.\.o.@t.../#;.%'#0AQ4u'/#/W-.&"j:L;u%9.t..d#"%]w?IMnH9UULW3IX\.s-&.dR#.w(^.O....92.T...eR#.P.i,0.b06,s-&.Y2DGJH9U..W3|XTD..dnY2DGJH9U.LU2;X^DN.E8Y2DGJH9UUYW30IUDN=E8Y2.GJX9UUNW36YUDNMA8_2DGJH9UU<S30[UDNMA8[2..JH)UU\W30YEDN]A8Y2DGZH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUD`9$@-2DG..=UU\W30.QDN]A8Y2DGJH9UULW3.YU$NMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DGJH9UULW30YUDNMA8Y2DG

                                  C:\Users\user\AppData\Roaming\b75dbea5ca02394b.bin

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):12320
                                  Entropy (8bit):7.986603696830373
                                  Encrypted:false
                                  SSDEEP:192:KTyXNVIwXeyQR5M1PyUrj8oiPwYKJTNQefe259Rz+9Sj3m5/lEmWDBPuoBuP:KTQNZOrY1PL8jYYgTKdSj3uShDBPjuP
                                  MD5:0FB4B937DCB53F010BE488E92C5D076B
                                  SHA1:70E046535F36B6AF3CD896EAFADB87741A9F1FF0
                                  SHA-256:3FF7C0C53CF6A2AB702F9AD287118E43E84052D2C5597959E7B60B153C78A9D8
                                  SHA-512:5A4F48AD7F901443B3CD5CEDEA0E3AED58B5E2E1198E714F8451B17B11E372AEC30829EC3EFBDE0AC2BA17E5DAC19D2488A54AEEA5FE5D1C0EBFBEF3ED33A3C6
                                  Malicious:false
                                  Preview:.n.t``.N5..`...6C..........c.......<.o.....|-.5..o.UKh.XT .....7q..*5.D..I..,)..._..>.O.e.q..A,.8Xewe.k..u.~.l...24.D...l..dt..'{...Ez..fB...._G.....2..{U.......\#....Tz......q..G.4.8..N........S=......Y..=.x.o..7.w.4.'..Wf...........B............0T.2.,..r..L"...6.z.L{.h.1....y..!.u.M$.....'.u..z....+..-....r..(.M........5...l.S...l0.3...kl.9..dw..&.+x.P.8.$.+...H....".X..rg.....'..Qd. m. U.F.pmJ.6...l..j...:....XB....T_...l.6z....w<.(...........8...$..>".p..I.....~.nmZ..k)*f....f..P..;lY.U..T!_R...... .q..8...X...8v...N<hVOZs..y.l..]..G|'l..A.x\..J....nB...L....9.{.Y.. ........:..Zf....@.(..&..v-.s"'.T``B=...%.H...p.. .s.t%W.>.%...x,_}.<..!...v.1n..U.#u...X7..z..X..%<.J..l.W7 b~.(.......H.]\.e.K?......a$.i.K.]..+.....q...\..Q....Q#..l..U..2....B#..@..JdGo.SL......_.v8..7...:j........k....|.ue'i..r......gw.W.8.'<...;f..i.....R..C.{...6..G%2v...}...yA......:}....#Ik.{...g...s.[...l.Q.nc.9...,_.|.b.....q.@.J5...Q..|..j....n.P..-..Ed..H..*..

                                  C:\Windows\System32\AppVClient.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):1348608
                                  Entropy (8bit):7.251572878146187
                                  Encrypted:false
                                  SSDEEP:24576:IQW4qoNUgslKNX0Ip0MgHCpoMBOuMVg9N9JMlDlfjRiVuVsWt5MJMs:IQW9BKNX0IPgiKMBOusgFIDRRAubt5M
                                  MD5:0E2341A5D856BFAE2CC1F50CF22BE6C2
                                  SHA1:1819BCE352F118E2C61E6289A7ABE8A620B86F4D
                                  SHA-256:14BB192FF8EE327B692653748EAE64FD091D0FB6406C7913B9349A47642A52E6
                                  SHA-512:D376F52A188A32AC5A420D78AEB4E7865667A3C78D1735AA46CD2058EFD8D7B49E4DA64BD53C12D090A040620D5224D8AD6AD6787812BC3DC4C64B75B2C0BF36
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                  C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):1592832
                                  Entropy (8bit):4.17481863960733
                                  Encrypted:false
                                  SSDEEP:24576:z2G7AbHjknVg9N9JMlDlfjRiVuVsWt5MJMs:z2G7AbHj+gFIDRRAubt5M
                                  MD5:B567F1FD2935B7DC67822B26C2836416
                                  SHA1:03002EE68B2CA077413F006992D849C942E3E14E
                                  SHA-256:580E1F5A9E7A50B0C36BBCD04639264AF9D256AE2A13DA1F80CEF876F974E6D5
                                  SHA-512:90D0F0D8CA4BD04E6DD4AEF0ACC81CFBA540378DAF5CF0C79FC84F63BC606CB054CF3F6A2621BF02625C41BE1AF0483417CB0DAD931A588AD13714EDB16D3067
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................f.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

                                  C:\Windows\System32\FXSSVC.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):1242624
                                  Entropy (8bit):7.287673788648845
                                  Encrypted:false
                                  SSDEEP:24576:LkdpSI+K3S/GWei+qNv2wG3vVg9N9JMlDlfjRiVuVsWt5MJMs:L6SIGGWei2wG3dgFIDRRAubt5M
                                  MD5:2F3B30AD24454A67D8021F602425F4FA
                                  SHA1:D8BA48199EE6BA3A124C3F08181BB64F66105F52
                                  SHA-256:D576DC4B27C24501F5653BD4CC2F7D3372F1E5731C46AC6825E1BE4499257AF1
                                  SHA-512:3132DC4BD95B9D56970A9FD68F5D098A7AE43D5EE8E9AC948FCCF4CE599924D51528DEE8ED6B7DAFCC10F89049E147F0562EC9F08E1FDCBB43BD1FF9B177BB4A
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......4..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                  C:\Windows\System32\alg.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Shipment Notification.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):1594368
                                  Entropy (8bit):4.175681342421043
                                  Encrypted:false
                                  SSDEEP:12288:+EP3RFSV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:dFKVg9N9JMlDlfjRiVuVsWt5MJMs
                                  MD5:0CD114E258D21CEB68054A8716E202D4
                                  SHA1:5BB6B96F39C599AB174ED8F12EE27BF65D75B0A8
                                  SHA-256:EA549DC8F8615EBB0C1C1AD6E8A678CC306CB85EDCCC8322D957C39D7373A376
                                  SHA-512:413DA5F14797C24DEE3145ADB8AF7881FFC39D47F252A08258D6447910D335E050FD01C6AADD45891C8CDE3BB539B838AA9492A667D0B6A50AB408AC0FBCA38C
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.....................................>.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                                  C:\Windows\System32\config\systemprofile\AppData\Roaming\b75dbea5ca02394b.bin

                                  Download File
                                  Process:C:\Windows\System32\AppVClient.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):12320
                                  Entropy (8bit):7.9859189497309835
                                  Encrypted:false
                                  SSDEEP:192:oTpv/PfGtiWoJaNv0RgQPVE9hbkugiuSnNmto78vFFqdZcCP+GIHVVipkCK:wpvnfGtnNvNQ6hbkugixNmBvFYYYab
                                  MD5:A6D93F4AB5EBB8320638E70D6B506261
                                  SHA1:09E185650C205A5656780EC1F3A894AC1B86CD2B
                                  SHA-256:007DE5008A918006236AEC7D16BA0CB08464B4750DBC25C4995A34FE8F722D4E
                                  SHA-512:92736B8A998387CE6185D3308B637F4E45CB62E3514A002E1DD37590D2528CDD4F2123EB0EFF4B1F1424AE28A33F815B5645620559BED1E8E6402414DC7FAFD0
                                  Malicious:false
                                  Preview:./.L..{..{..w....1.....oQ.f..:O}.#k(p|..=6..O.XX.J..>...E......k....B1z.X..,.[s.y..4.'...7.."..i.M.......i...UQ...g..R[.d...m.(..7...d..A.M.2.|q.T..H..(7.B...._._..~'..x.. .MZ.e...q...xb...q.LH...|A.%..=j.$=D.......sS..g..!.A....26.....M.2.".h.1EJ......k.,.M....D.-,...*25.$..+w>.....oo".......S.L.....<.f:n...W..3....[>.1.P.\.8.....;9[^.......k...h\N.Y..y.....m......b....Oy.r....nC.5r....G>.......x.<2...s!t......H...s|1.^F3b.}..I[....I....x'*....n...*.........d..WK.wx._.=E...=.W.z.*0b...a7.=..e`. ..9.s9.j...`.I.Z...xsu5.d....;.k..i.;.P.c...uL... ..m...m...C........|+..x.......L.....W......V...[...:|.*.@......lM.B....~.1u"....I(5..T....'UkR.s].f...X.....v....Q..j....;W"............J|.. 6?....E..K.....0.......(0}WB.-....C*..V.......;.k.z..;]!bs..l.....B...0.$.b.x..L.._..>.%....H...F.z...w.I.m.5.D.... .&.[@hQQ.S%....a?D>...mn+7.......Z:.!.!.h$.,z...............u.jDM..../.oO..r.b....t,......OL.......Z......N%.d.9..&=f.....+...$N"(.....

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.518561539535184
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:Shipment Notification.exe
                                  File size:1'793'536 bytes
                                  MD5:65df98b65b9c4cca6ede8e466d67d874
                                  SHA1:52b38684900c19b857cecb5348f65a1305f911fa
                                  SHA256:0629d06c5aa9b9c33a5b7f9fb029023c3c6140bd475e6b68645beca7d85203bd
                                  SHA512:5f7292fbb916730bb86511bec535b57fa9e29c565144df61d47c872390d295d3a4aad370b456f46511e28c701d56483121bb9f566719fdcb3900fbd0d19c9423
                                  SSDEEP:49152:U20c++OCvkGs9FaktNPrVBPfWM9sYegFIDRRAubt5M:vB3vkJ9tPHSqUf
                                  TLSH:3985E02273DDC371CB669173FF6AB7016EBB3C610630B85B1F940D79A960162262D7A3
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x427dcd
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x67597428 [Wed Dec 11 11:14:48 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F010CE74A1Ah
                                  jmp 00007F010CE677E4h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push edi
                                  push esi
                                  mov esi, dword ptr [esp+10h]
                                  mov ecx, dword ptr [esp+14h]
                                  mov edi, dword ptr [esp+0Ch]
                                  mov eax, ecx
                                  mov edx, ecx
                                  add eax, esi
                                  cmp edi, esi
                                  jbe 00007F010CE6796Ah
                                  cmp edi, eax
                                  jc 00007F010CE67CCEh
                                  bt dword ptr [004C31FCh], 01h
                                  jnc 00007F010CE67969h
                                  rep movsb
                                  jmp 00007F010CE67C7Ch
                                  cmp ecx, 00000080h
                                  jc 00007F010CE67B34h
                                  mov eax, edi
                                  xor eax, esi
                                  test eax, 0000000Fh
                                  jne 00007F010CE67970h
                                  bt dword ptr [004BE324h], 01h
                                  jc 00007F010CE67E40h
                                  bt dword ptr [004C31FCh], 00000000h
                                  jnc 00007F010CE67B0Dh
                                  test edi, 00000003h
                                  jne 00007F010CE67B1Eh
                                  test esi, 00000003h
                                  jne 00007F010CE67AFDh
                                  bt edi, 02h
                                  jnc 00007F010CE6796Fh
                                  mov eax, dword ptr [esi]
                                  sub ecx, 04h
                                  lea esi, dword ptr [esi+04h]
                                  mov dword ptr [edi], eax
                                  lea edi, dword ptr [edi+04h]
                                  bt edi, 03h
                                  jnc 00007F010CE67973h
                                  movq xmm1, qword ptr [esi]
                                  sub ecx, 08h
                                  lea esi, dword ptr [esi+08h]
                                  movq qword ptr [edi], xmm1
                                  lea edi, dword ptr [edi+08h]
                                  test esi, 00000007h
                                  je 00007F010CE679C5h
                                  bt esi, 03h
                                  jnc 00007F010CE67A18h

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD4 build 31101
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD4 build 31101

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5f69c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x8dcc40x8de003090a3327bcf1f126c5c7f9e4891301cFalse0.5728679102422908data6.676131091367248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xc70000x5f69c0x5f800fd4a3d1fcc420dbdc13ca844daf914ccFalse0.9306640625data7.90138674775482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1270000x960000x9500044756377265319a807b21a21afb7add0False0.9757563443791947data7.9380449238130035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                  RT_RCDATA0xcf7b80x56963data1.0003270747393975
                                  RT_GROUP_ICON0x12611c0x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x1261940x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x1261a80x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x1261bc0x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x1261d00xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x1262ac0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                  PSAPI.DLLGetProcessMemoryInfo
                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-12-11T15:09:08.849138+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.549704TCP
                                  2024-12-11T15:09:08.849138+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.549704TCP
                                  2024-12-11T15:09:12.994539+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.54970718.141.10.10780TCP
                                  2024-12-11T15:09:13.113888+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.549707TCP
                                  2024-12-11T15:09:13.113888+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.549707TCP
                                  2024-12-11T15:09:17.688691+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.5568051.1.1.153UDP
                                  2024-12-11T15:09:17.743075+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.549709TCP
                                  2024-12-11T15:09:17.743075+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.549709TCP
                                  2024-12-11T15:09:27.357731+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.5609621.1.1.153UDP
                                  2024-12-11T15:10:40.157278+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.54985682.112.184.19780TCP
                                  2024-12-11T15:11:05.062119+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.549952TCP
                                  2024-12-11T15:11:05.062119+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.549952TCP
                                  2024-12-11T15:11:07.969540+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.549961TCP
                                  2024-12-11T15:11:07.969540+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.549961TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 11, 2024 15:09:07.258233070 CET4970480192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:07.377686024 CET804970454.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:07.377784967 CET4970480192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:07.396912098 CET4970480192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:07.396990061 CET4970480192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:07.516288042 CET804970454.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:07.516485929 CET804970454.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:08.729449987 CET804970454.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:08.729471922 CET804970454.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:08.729542971 CET4970480192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:08.729734898 CET4970480192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:08.849138021 CET804970454.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:09.150105953 CET4970580192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:09.269784927 CET804970554.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:09.269978046 CET4970580192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:09.270184040 CET4970580192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:09.270184040 CET4970580192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:09.389744043 CET804970554.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:09.389770031 CET804970554.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:10.255340099 CET4970680192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.374933958 CET804970618.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:10.375790119 CET4970680192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.432301044 CET4970680192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.432301998 CET4970680192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.551966906 CET804970618.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:10.551971912 CET804970618.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:10.625376940 CET804970554.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:10.625494003 CET804970554.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:10.625754118 CET4970580192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:10.626888990 CET4970580192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:10.746861935 CET804970554.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:10.867355108 CET4970780192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.988064051 CET804970718.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:10.988367081 CET4970780192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.989250898 CET4970780192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:10.989252090 CET4970780192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:11.110102892 CET804970718.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:11.110133886 CET804970718.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:11.773947001 CET4970680192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:12.993664026 CET804970718.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:12.994134903 CET804970718.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:12.994539022 CET4970780192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:12.997101068 CET4970780192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:13.113888025 CET804970718.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:13.917072058 CET4970880192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:14.036674023 CET804970854.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:14.037127018 CET4970880192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:14.037401915 CET4970880192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:14.037448883 CET4970880192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:14.157075882 CET804970854.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:14.157146931 CET804970854.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:15.388976097 CET804970854.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:15.389091015 CET804970854.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:15.389434099 CET4970880192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:15.389434099 CET4970880192.168.2.554.244.188.177
                                  Dec 11, 2024 15:09:15.508812904 CET804970854.244.188.177192.168.2.5
                                  Dec 11, 2024 15:09:28.455945969 CET4974080192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:28.575371027 CET804974018.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:28.576100111 CET4974080192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:28.576235056 CET4974080192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:28.576248884 CET4974080192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:28.695491076 CET804974018.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:28.695584059 CET804974018.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:30.578567028 CET804974018.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:30.578860998 CET804974018.141.10.107192.168.2.5
                                  Dec 11, 2024 15:09:30.578943014 CET4974080192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:30.579026937 CET4974080192.168.2.518.141.10.107
                                  Dec 11, 2024 15:09:30.698386908 CET804974018.141.10.107192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 11, 2024 15:09:05.532119036 CET5840653192.168.2.51.1.1.1
                                  Dec 11, 2024 15:09:06.310450077 CET53584061.1.1.1192.168.2.5
                                  Dec 11, 2024 15:09:08.842972994 CET5836153192.168.2.51.1.1.1
                                  Dec 11, 2024 15:09:08.980761051 CET53583611.1.1.1192.168.2.5
                                  Dec 11, 2024 15:09:09.228030920 CET5070953192.168.2.51.1.1.1
                                  Dec 11, 2024 15:09:09.825623989 CET53507091.1.1.1192.168.2.5
                                  Dec 11, 2024 15:09:10.701744080 CET5429853192.168.2.51.1.1.1
                                  Dec 11, 2024 15:09:10.839895964 CET53542981.1.1.1192.168.2.5
                                  Dec 11, 2024 15:09:27.356472969 CET53643361.1.1.1192.168.2.5
                                  Dec 11, 2024 15:09:30.972376108 CET53560591.1.1.1192.168.2.5
                                  Dec 11, 2024 15:09:31.192678928 CET53631931.1.1.1192.168.2.5
                                  Dec 11, 2024 15:11:09.865360975 CET5771453192.168.2.51.1.1.1
                                  Dec 11, 2024 15:11:10.455939054 CET53577141.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Dec 11, 2024 15:09:05.532119036 CET192.168.2.51.1.1.10x94ffStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:08.842972994 CET192.168.2.51.1.1.10xeae4Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:09.228030920 CET192.168.2.51.1.1.10x9e95Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:10.701744080 CET192.168.2.51.1.1.10xdcc4Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:11:09.865360975 CET192.168.2.51.1.1.10xfabfStandard query (0)vcddkls.bizA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Dec 11, 2024 15:09:06.310450077 CET1.1.1.1192.168.2.50x94ffNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:08.980761051 CET1.1.1.1192.168.2.50xeae4No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:09.825623989 CET1.1.1.1192.168.2.50x9e95No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:10.839895964 CET1.1.1.1192.168.2.50xdcc4No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:27.356472969 CET1.1.1.1192.168.2.50x7031Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:30.972376108 CET1.1.1.1192.168.2.50x84c6Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:09:31.192678928 CET1.1.1.1192.168.2.50x6726Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                  Dec 11, 2024 15:11:10.455939054 CET1.1.1.1192.168.2.50xfabfNo error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • pywolwnvd.biz
                                  • ssbzmoy.biz
                                  • cvgrf.biz
                                  • knjghuig.biz

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.54970454.244.188.177802448C:\Users\user\Desktop\Shipment Notification.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 11, 2024 15:09:07.396912098 CET354OUTPOST /wqjbkdjiy HTTP/1.1
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Pragma: no-cache
                                  Host: pywolwnvd.biz
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                  Content-Length: 824
                                  Dec 11, 2024 15:09:07.396990061 CET824OUTData Raw: 07 fe c3 e1 f3 6c 21 11 2c 03 00 00 03 1a 7d 95 56 32 2b ec 7e 91 ac 28 1e 56 24 ad 73 6f f9 52 4a 50 a9 0b f3 02 0d 0a d3 1b 1c 05 48 de 08 47 36 48 6f 12 e3 5e cb c6 31 cc fe 80 6d 02 08 a7 93 06 72 01 1e c1 3c bd 51 2e 55 25 8e c7 3b fc 12 6a
                                  Data Ascii: l!,}V2+~(V$soRJPHG6Ho^1mr<Q.U%;jlKZ6YYVv]l1"5 Iz0VObA-nIS$b6,wk2y69biiBIM"XG@w7Xf|_$!qadc}]e
                                  Dec 11, 2024 15:09:08.729449987 CET413INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Wed, 11 Dec 2024 14:09:08 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=37f4dd93dbff8501640fd1c0e40f27c1|8.46.123.175|1733926148|1733926148|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.54970554.244.188.17780
                                  TimestampBytes transferredDirectionData
                                  Dec 11, 2024 15:09:09.270184040 CET347OUTPOST /nu HTTP/1.1
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Pragma: no-cache
                                  Host: pywolwnvd.biz
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                  Content-Length: 874
                                  Dec 11, 2024 15:09:09.270184040 CET874OUTData Raw: 55 d8 d8 ee 5c 32 c2 8a 5e 03 00 00 0a 9c ff d1 5f 5b 00 41 ea 22 86 da ae 1b a0 c5 2f 22 d8 d2 7f 73 d7 9d 51 30 44 bd 47 05 a3 ec b9 45 25 cb 1b f1 38 59 0c 7c 00 59 c7 48 df 0c a7 f7 bd 2f d2 2c ba 2d 13 26 ea 33 91 1e 07 76 cd 45 79 90 77 d0
                                  Data Ascii: U\2^_[A"/"sQ0DGE%8Y|YH/,-&3vEyw~wS@8}}9t^-~8U"`[!TMN<^1B/)L!j+T<LxRmHB^5gvH;}/C4Vl@?._Gm[3a%(5M<DUg]F
                                  Dec 11, 2024 15:09:10.625376940 CET413INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Wed, 11 Dec 2024 14:09:10 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=c4555ca49144f35bef9126a67d40bc69|8.46.123.175|1733926150|1733926150|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.54970618.141.10.107802448C:\Users\user\Desktop\Shipment Notification.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 11, 2024 15:09:10.432301044 CET349OUTPOST /odsonv HTTP/1.1
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Pragma: no-cache
                                  Host: ssbzmoy.biz
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                  Content-Length: 824
                                  Dec 11, 2024 15:09:10.432301998 CET824OUTData Raw: fa a9 1b 35 c8 df d8 22 2c 03 00 00 0a 0b 07 84 d4 6c 84 84 8d 67 b3 14 f6 dc 16 03 8a db 4e ab 2d 6a c7 84 af 22 27 d9 ee 53 42 e1 0a b2 e1 c9 02 0f 3c c1 3a f2 de ec 69 a8 9c da 86 1d b2 0c 5e c9 8e be 98 de d7 04 40 1b ce df 70 8a 6d 53 5d f7
                                  Data Ascii: 5",lgN-j"'SB<:i^@pmS]V+/39q4|Ub!mD+d<%sm& dB8TH:oiKicEGFO>(PIww]H 36uFo*ELkz-H>J2


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.54970718.141.10.10780
                                  TimestampBytes transferredDirectionData
                                  Dec 11, 2024 15:09:10.989250898 CET355OUTPOST /ifrlysutnhlr HTTP/1.1
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Pragma: no-cache
                                  Host: ssbzmoy.biz
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                  Content-Length: 874
                                  Dec 11, 2024 15:09:10.989252090 CET874OUTData Raw: f0 b2 c9 1d 4a 77 40 a8 5e 03 00 00 d9 62 70 ec 6e 21 50 68 46 1a 64 f3 a8 1a b5 f1 46 29 0a 57 2b 4a 81 4b 41 c6 40 67 30 92 45 15 c9 c8 62 8e d6 f6 53 14 cf 2f 01 b5 ad 6f 5c 38 74 b3 be d2 72 dd 2c 79 99 d9 02 91 1f 4b 55 fb f8 68 fb 2b 51 bf
                                  Data Ascii: Jw@^bpn!PhFdF)W+JKA@g0EbS/o\8tr,yKUh+Q N"a$a*0VY9Sgs%gc41NcF9Hn]q=oC!{-HR2Ic[CZ.Pn4[z,z[W}x|NQI
                                  Dec 11, 2024 15:09:12.993664026 CET411INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Wed, 11 Dec 2024 14:09:12 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=6c4155521f4d46e16bb0f1d592175eba|8.46.123.175|1733926152|1733926152|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.54970854.244.188.17780
                                  TimestampBytes transferredDirectionData
                                  Dec 11, 2024 15:09:14.037401915 CET343OUTPOST /pm HTTP/1.1
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Pragma: no-cache
                                  Host: cvgrf.biz
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                  Content-Length: 874
                                  Dec 11, 2024 15:09:14.037448883 CET874OUTData Raw: 1a 54 a9 d1 56 7c d7 94 5e 03 00 00 28 4f 9e 7d 1f 49 29 45 b2 c6 fd 6e be 3f e5 55 b6 b9 3a a1 11 f0 4c f9 60 f9 85 93 7b 22 04 55 40 7b af 16 b2 09 2f 92 88 62 12 49 1c 7d 52 5a 12 04 b8 4f 41 2d 93 57 12 8a 3f 65 9a f8 2b 3d c2 1e 35 68 46 96
                                  Data Ascii: TV|^(O}I)En?U:L`{"U@{/bI}RZOA-W?e+=5hF7|?K)-}L "0}UR[yfSJV85bqw%;!41\#6m(s(8FKG5JpwQ<X^1:/2Q
                                  Dec 11, 2024 15:09:15.388976097 CET409INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Wed, 11 Dec 2024 14:09:15 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=eb4f29f5a8b54de1193fe38477899fa6|8.46.123.175|1733926155|1733926155|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.54974018.141.10.10780
                                  TimestampBytes transferredDirectionData
                                  Dec 11, 2024 15:09:28.576235056 CET357OUTPOST /hsyjdjsftfdjf HTTP/1.1
                                  Cache-Control: no-cache
                                  Connection: Keep-Alive
                                  Pragma: no-cache
                                  Host: knjghuig.biz
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                  Content-Length: 874
                                  Dec 11, 2024 15:09:28.576248884 CET874OUTData Raw: 6c 33 e6 64 1b 94 bd 3a 5e 03 00 00 35 7a 55 fe 7f ec 53 6e 0d ed 50 7d aa ea 5d 46 af f6 4b 44 a1 24 6e 6c 0c c6 15 fb 11 41 63 5a 6f 27 3b 88 78 b0 cc d3 65 99 dd 7e 1f be fa 95 1d e0 47 87 51 3f 75 3e fc 30 44 af f8 58 df 18 03 94 fe 16 fe 4a
                                  Data Ascii: l3d:^5zUSnP}]FKD$nlAcZo';xe~GQ?u>0DXJ!U#@(3k.Z AzxHiYiy@p~_%m>WX(XUM=|1x!wqR-@OX)I%zb\32v
                                  Dec 11, 2024 15:09:30.578567028 CET412INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Wed, 11 Dec 2024 14:09:30 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: btst=487e179a74d21819f0857fce7824f8f5|8.46.123.175|1733926170|1733926170|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:09:09:03
                                  Start date:11/12/2024
                                  Path:C:\Users\user\Desktop\Shipment Notification.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Shipment Notification.exe"
                                  Imagebase:0x400000
                                  File size:1'793'536 bytes
                                  MD5 hash:65DF98B65B9C4CCA6EDE8E466D67D874
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:09:09:03
                                  Start date:11/12/2024
                                  Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                  Imagebase:0x400000
                                  File size:1'658'880 bytes
                                  MD5 hash:8F45A42A43A3B47A199D0B5346E419EB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:09:09:04
                                  Start date:11/12/2024
                                  Path:C:\Windows\System32\alg.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\alg.exe
                                  Imagebase:0x140000000
                                  File size:1'594'368 bytes
                                  MD5 hash:0CD114E258D21CEB68054A8716E202D4
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:09:09:05
                                  Start date:11/12/2024
                                  Path:C:\Windows\System32\drivers\AppVStrm.sys
                                  Wow64 process (32bit):
                                  Commandline:
                                  Imagebase:
                                  File size:138'056 bytes
                                  MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                  Has elevated privileges:
                                  Has administrator privileges:
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:09:09:05
                                  Start date:11/12/2024
                                  Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                  Wow64 process (32bit):
                                  Commandline:
                                  Imagebase:
                                  File size:174'408 bytes
                                  MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                  Has elevated privileges:
                                  Has administrator privileges:
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:6
                                  Start time:09:09:05
                                  Start date:11/12/2024
                                  Path:C:\Windows\System32\drivers\AppvVfs.sys
                                  Wow64 process (32bit):
                                  Commandline:
                                  Imagebase:
                                  File size:154'952 bytes
                                  MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                  Has elevated privileges:
                                  Has administrator privileges:
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:7
                                  Start time:09:09:05
                                  Start date:11/12/2024
                                  Path:C:\Windows\System32\AppVClient.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\AppVClient.exe
                                  Imagebase:0x140000000
                                  File size:1'348'608 bytes
                                  MD5 hash:0E2341A5D856BFAE2CC1F50CF22BE6C2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:09:09:07
                                  Start date:11/12/2024
                                  Path:C:\Windows\System32\FXSSVC.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\fxssvc.exe
                                  Imagebase:0x140000000
                                  File size:1'242'624 bytes
                                  MD5 hash:2F3B30AD24454A67D8021F602425F4FA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:09:09:09
                                  Start date:11/12/2024
                                  Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                  Imagebase:0x140000000
                                  File size:2'354'176 bytes
                                  MD5 hash:ABA75CE67151B4E7CE468B1889A81F1C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:12
                                  Start time:09:09:10
                                  Start date:11/12/2024
                                  Path:C:\Windows\SysWOW64\svchost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Shipment Notification.exe"
                                  Imagebase:0x350000
                                  File size:46'504 bytes
                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2456776187.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:09:09:10
                                  Start date:11/12/2024
                                  Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                  Imagebase:0x140000000
                                  File size:1'725'440 bytes
                                  MD5 hash:E010C33CCF44CC658E6BE30DD8099ED5
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:97.8%
                                    Signature Coverage:8.6%
                                    Total number of Nodes:93
                                    Total number of Limit Nodes:5
                                    execution_graph 5638 c35be2 5639 c35bfc CloseHandle 5638->5639 5641 c35be7 5638->5641 5639->5641 5642 c35b42 5643 c35b07 5642->5643 5643->5642 5644 c35b68 5643->5644 5645 c35cdf CreateThread 5643->5645 5646 c35c01 5645->5646 5649 c354a0 5645->5649 5647 c35c03 CloseHandle 5646->5647 5648 c35c20 5646->5648 5647->5644 5650 c354b5 5649->5650 5651 c35522 VirtualAlloc 5650->5651 5651->5650 5658 c35b00 5659 c35bba 5658->5659 5666 c452c0 5659->5666 5661 c35bc7 5665 c35bde 5661->5665 5671 c50080 5661->5671 5667 c452c6 5666->5667 5670 c452ce 5666->5670 5667->5670 5685 c3e050 5667->5685 5670->5661 5677 c50089 5671->5677 5672 c503e0 GetComputerNameW 5672->5677 5673 c50181 VirtualFree 5673->5677 5674 c3e050 VirtualAlloc 5674->5677 5675 c503bf GetUserNameW 5675->5677 5676 c504d6 GetComputerNameW 5676->5677 5677->5672 5677->5673 5677->5674 5677->5675 5677->5676 5678 c35c7b 5677->5678 5679 c38070 5678->5679 5681 c38075 5679->5681 5680 c38186 CloseHandle 5680->5681 5681->5680 5682 c381ad GetTokenInformation 5681->5682 5683 c380ca GetTokenInformation 5681->5683 5684 c380a7 5681->5684 5682->5681 5683->5681 5684->5665 5686 c3e0c3 5685->5686 5687 c3e0d8 VirtualAlloc 5686->5687 5687->5686 5708 c35860 5709 c452c0 VirtualAlloc 5708->5709 5710 c35869 5709->5710 5711 c50080 5 API calls 5710->5711 5712 c3587d 5711->5712 5713 c38070 3 API calls 5712->5713 5714 c35870 5713->5714 5688 c35b87 CreateThread 5689 c35b1c 5688->5689 5697 c35810 5688->5697 5690 c35d0d 5689->5690 5692 c35cdf CreateThread 5689->5692 5693 c35c01 5689->5693 5691 c35c03 CloseHandle 5695 c35d37 5691->5695 5692->5693 5696 c354a0 VirtualAlloc 5692->5696 5693->5691 5694 c35c20 5693->5694 5698 c35822 5697->5698 5699 c354c4 5700 c354c5 5699->5700 5701 c35522 VirtualAlloc 5700->5701 5701->5700 5758 c35b09 5759 c35b16 5758->5759 5760 c35d0d 5759->5760 5761 c35c01 5759->5761 5763 c35cdf CreateThread 5759->5763 5762 c35c03 CloseHandle 5761->5762 5765 c35c20 5761->5765 5764 c35d37 5762->5764 5763->5761 5766 c354a0 VirtualAlloc 5763->5766 5715 c355ef 5717 c355ac 5715->5717 5718 c355e4 5717->5718 5719 c53870 5717->5719 5721 c53876 5719->5721 5722 c53893 5721->5722 5723 c53720 5721->5723 5722->5717 5726 c40c42 5723->5726 5724 c537dd 5724->5722 5725 c3e050 VirtualAlloc 5725->5726 5726->5723 5726->5724 5726->5725 5652 c381b1 5657 c38075 5652->5657 5653 c38186 CloseHandle 5653->5657 5654 c380ca GetTokenInformation 5654->5657 5655 c381ad GetTokenInformation 5655->5657 5656 c380a7 5657->5653 5657->5654 5657->5655 5657->5656 5702 c38090 5705 c38075 5702->5705 5703 c38186 CloseHandle 5703->5705 5704 c380ca GetTokenInformation 5704->5705 5705->5703 5705->5704 5706 c380a7 5705->5706 5707 c381ad GetTokenInformation 5705->5707 5707->5705 5727 c357f0 5728 c355ac 5727->5728 5729 c53870 VirtualAlloc 5728->5729 5730 c355e4 5728->5730 5729->5728

                                    Executed Functions

                                    Function 00C50080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 c50080-c50286 2 c5028c 0->2 3 c50099-c50575 0->3 5 c50445 2->5 7 c50155 3->7 8 c5057b 3->8 5->3 6 c5044b-c50457 5->6 9 c50458-c50472 GetComputerNameW 6->9 11 c502ef-c50495 call c3e050 * 2 7->11 8->7 10 c50581-c50587 8->10 15 c5024c-c50253 9->15 16 c503ee-c503f4 9->16 13 c5058b 10->13 11->9 55 c5043e 11->55 18 c50181 VirtualFree 13->18 19 c5058c-c50591 13->19 23 c50255 15->23 24 c501e6 15->24 37 c500da-c5023f 16->37 38 c503fa 16->38 20 c501a8-c502ac call c67164 18->20 21 c50597 19->21 22 c504ab-c504af 19->22 27 c502b1-c502be 20->27 21->22 30 c5059d 21->30 48 c504c7 22->48 31 c502d3 23->31 24->27 28 c501ec-c50313 call c6715c 24->28 33 c502c4 27->33 34 c503bf-c503d9 GetUserNameW 27->34 52 c50318-c5031e 28->52 30->22 31->24 36 c502d9 31->36 33->34 43 c502ca 33->43 44 c50331 34->44 36->11 37->15 50 c50241-c5024a 37->50 38->37 45 c50400 38->45 43->31 53 c50337 44->53 54 c50171 44->54 51 c5b1ee-c5b49f 45->51 58 c504cc-c504e6 call c69970 GetComputerNameW 48->58 50->15 50->27 56 c50324 52->56 57 c50568-c5056b 52->57 53->54 61 c5033d 53->61 59 c50173 54->59 60 c5013f-c50146 54->60 55->5 56->57 64 c5032a 56->64 57->58 70 c50131 58->70 71 c504ec-c50514 58->71 66 c50230 59->66 60->13 62 c505d0-c505d9 61->62 62->51 64->44 66->48 67 c50236-c505c2 66->67 67->48 74 c505c8-c505c9 67->74 72 c50137 70->72 73 c50089-c5008c 70->73 71->57 72->73 77 c5013d 72->77 73->20 76 c50092 73->76 74->62 76->20 78 c50098 76->78 77->18 77->60 78->3
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: ComputerName
                                    • String ID:
                                    • API String ID: 3545744682-0
                                    • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                    • Instruction ID: 2016ceaab3752c7d76ec6b6d76f55c8f77f73771e19e0cafb20109e37d0b3ad6
                                    • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                    • Instruction Fuzzy Hash: 8FD12535418F098BC728EF58CC467EAB7D1FBA0311F68461FDC56C3164DA749A8986C6
                                    Function 00C352A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 314 c352a0-c352a5 315 c352ab-c352f5 314->315 316 c3532e-c3533f 314->316 315->316 319 c352f7 315->319 320 c3536b-c35390 316->320 321 c353fe 319->321 327 c353c3 320->327 328 c35392-c3539a 320->328 323 c35404-c3540e 321->323 324 c70d4c-c70d4e 321->324 326 c35424 323->326 329 c3539b 326->329 330 c3542a 326->330 328->329 331 c35413-c35419 329->331 332 c3539d-c353a1 329->332 330->329 333 c35430-c35443 330->333 334 c352b0-c352b5 332->334 335 c353a7 332->335 335->334 336 c353ad 335->336 337 c353f3-c353f9 336->337 338 c353af-c353f1 336->338 337->321 341 c35322-c35328 337->341 338->331 338->337 342 c35355 341->342 343 c3532a 341->343 346 c352d1-c352e7 342->346 347 c352e8-c35363 342->347 343->342 344 c3532c 343->344 344->316 346->347 350 c353d1-c353d5 347->350 351 c35365 347->351 350->332 352 c353d7 350->352 351->350 353 c35367-c35369 351->353 355 c35400-c3540e 352->355 356 c3534b 352->356 353->320 355->326 356->355 357 c35351-c35353 356->357 357->342
                                    APIs
                                    • GetSystemDefaultLangID.KERNELBASE ref: 00C353C4
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: DefaultLangSystem
                                    • String ID:
                                    • API String ID: 706401283-0
                                    • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                    • Instruction ID: 4c4386b50d5bd3081784346ae7bda678ec785bae294d4bcb5eb72f0942df6c8f
                                    • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                    • Instruction Fuzzy Hash: 00413AA183DED58FD36A432544643B17BD09B123E2F9D04D7D4E3CB0F2E1990E819766
                                    Function 00C38070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 79 c38070-c3817e 81 c38180 79->81 82 c3813d-c381a5 79->82 83 c38184 81->83 84 c3815f 81->84 97 c381a7 82->97 98 c381bd-c381ca 82->98 85 c38186 CloseHandle 83->85 86 c3818c-c38192 83->86 84->82 88 c38161 84->88 85->86 89 c38115-c38118 86->89 90 c38194 86->90 92 c38163-c38170 call c67164 88->92 95 c380a7 89->95 96 c38119-c3811a 89->96 90->89 93 c3819a 90->93 92->85 103 c38172 92->103 99 c3813c 93->99 96->95 101 c3811c 96->101 107 c380f3 98->107 108 c381d0 98->108 99->83 104 c3820f 101->104 103->86 105 c38215-c3821e 104->105 106 c3808e-c38096 104->106 105->106 116 c38224 105->116 106->83 106->95 109 c380f5 107->109 110 c3808c 107->110 117 c380c3 108->117 118 c381fe-c38201 GetTokenInformation 108->118 109->110 115 c38077 109->115 110->106 119 c381d7-c381de call c6715c 115->119 116->119 120 c38226 116->120 117->118 121 c380c9 117->121 118->104 127 c381b7 118->127 129 c381e3-c381e6 119->129 120->119 123 c38228-c382ee call c35d90 120->123 126 c380ca-c380d8 GetTokenInformation 121->126 146 c382f0 123->146 147 c3830c-c3831e 123->147 130 c3810f 126->130 127->104 132 c381b9-c381bb 127->132 129->126 142 c38089 129->142 133 c38111 130->133 134 c3812d 130->134 132->98 133->134 137 c38113 133->137 139 c38133 134->139 140 c380a8 134->140 137->89 139->99 141 c381ed-c381f0 139->141 144 c380aa-c380ad 140->144 148 c381f6 141->148 149 c380da-c380f1 141->149 142->126 145 c3808b 142->145 144->92 150 c380b3-c38203 144->150 145->110 146->147 153 c382f2 146->153 151 c382a1-c382ba call c35d90 call c3ec00 147->151 152 c38320 147->152 148->149 154 c381fc 148->154 149->144 150->92 160 c38209 150->160 151->152 158 c38322 152->158 159 c382f7-c382fc call c35d90 152->159 153->159 154->118 158->159 162 c38324-c38326 158->162 170 c38253-c38265 call c51280 159->170 171 c38302 159->171 166 c38328 162->166 172 c38335 166->172 173 c382df-c3832b 166->173 170->166 180 c3826b 170->180 171->170 175 c38308-c3830a 171->175 178 c3826e-c38285 172->178 173->172 179 c3832d-c38331 173->179 175->147 181 c38287 178->181 182 c3829b-c3829d 178->182 179->172 180->178 183 c38239 180->183 184 c3824c 181->184 182->151 183->166 185 c3823f-c38243 183->185 184->182 186 c3824e-c38252 184->186 185->159 185->184 186->178
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                    • Instruction ID: 1a9ea4b6acb718ff408c05b3e76dcc5c65ffb6d0b8460811c70eb63dc9e8e4c9
                                    • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                    • Instruction Fuzzy Hash: DA61677063CB459FCBA98B29881437E7BA0FB55350F68025AF467C32A0DF285E4DD752
                                    Function 00C35B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 187 c35b09-c35d01 192 c35d07 187->192 193 c35bb4 187->193 192->193 194 c35d0d 192->194 195 c35c01-c35d41 CloseHandle 193->195 196 c35cda-c35ce4 CreateThread 193->196 201 c35d43 195->201 202 c35d4b-c35d52 195->202 196->195 200 c35cea 196->200 200->195 203 c35cf0-c35cf6 200->203 206 c35d54 201->206 205 c35d45-c35d47 202->205 202->206 207 c35d49 205->207 208 c35d5f 205->208 207->202 207->208 210 c35d65 208->210 210->210
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                    • Instruction ID: d5b88156e1bb2605f530ab7b94ef2fbd4ff5ce4cd0f64551362d6d87cf4d8771
                                    • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                    • Instruction Fuzzy Hash: E701F13053DF868FDB665725AD18379BBD0AB1832CF2805ABC497CA0D5DBA08B00E752
                                    Function 00C35910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 211 c35910-c35912 212 c35950-c35968 211->212 213 c35915-c35928 call c69970 211->213 212->213 214 c3596a 212->214 220 c359b8 call c50df0 213->220 216 c35970-c3597b 214->216 217 c3592f 214->217 221 c359d4 216->221 222 c3597d 216->222 217->213 219 c35931-c4072c 217->219 229 c40806-c40809 219->229 230 c40732-c40738 219->230 231 c359bd-c359c2 call c35d90 220->231 225 c3593b-c35a15 call c511a0 221->225 226 c359d8 221->226 222->221 227 c3597f-c35981 222->227 239 c359d9-c359de call c62190 226->239 228 c35983-c35a38 227->228 240 c35994-c3599c 228->240 241 c35a3e 228->241 245 c4079d-c407a6 229->245 237 c40800 230->237 238 c4073e 230->238 242 c359c7-c359ce 231->242 237->229 244 c406b3-c406b7 237->244 238->237 246 c40744-c40774 238->246 239->240 263 c359e0 239->263 252 c35a02 240->252 253 c3599e-c359f7 240->253 248 c35a2c-c35a34 241->248 249 c359d0 242->249 250 c35a1a-c35a26 242->250 244->245 255 c406bd 244->255 256 c40791-c40793 245->256 257 c407a8 245->257 260 c406d5-c406d9 246->260 261 c4077a-c4081c 246->261 248->239 249->250 258 c359d2-c359de 249->258 250->248 259 c359a1-c359b5 call c35e10 250->259 252->216 253->252 255->245 264 c406c3-c407fe 255->264 265 c407ca-c407cc 256->265 257->256 266 c407aa 257->266 258->240 258->263 259->220 282 c35a08-c35a0b 259->282 271 c406df 260->271 272 c406db 260->272 261->245 263->240 267 c359e2-c359ec 263->267 264->237 266->265 275 c35a62-c35a6e 267->275 276 c359ee-c359ef 267->276 271->245 272->271 278 c406dd 272->278 279 c35a70 275->279 280 c35a75-c35ab3 call c51280 275->280 276->228 281 c359f1 276->281 278->271 283 c4c0cc 278->283 279->280 287 c35a72 279->287 301 c35ab5 280->301 302 c35abb-c35ac9 280->302 281->213 282->240 284 c35a0d 282->284 285 c4c0ce-c4c0d0 283->285 286 c4c0e8-c4c102 283->286 293 c35932 284->293 294 c35991 284->294 290 c4c0d2-c4c0df 285->290 286->290 291 c4c104 286->291 287->280 298 c4c0e7 290->298 291->290 291->298 294->293 297 c35993 294->297 297->240 301->302 303 c35ab7-c35ab9 301->303 304 c35af2-c35af5 302->304 303->302 308 c35ad5 304->308 309 c35adb-c35adc 304->309 308->309 310 c35ad7-c35ad9 308->310 311 c35ae2 309->311 312 c35a45-c35a46 309->312 310->309 311->312 313 c35ae8 311->313 313->304
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                    • Instruction ID: bf73485cd105b51094b2ac9823f28b9366ff857c8c2c9f2d077fa749a623d597
                                    • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                    • Instruction Fuzzy Hash: 16F16A2072CF488FC769971D58413B973D2FB99310F58429EE85BC3296DE349D8AA386
                                    Function 00C35B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 358 c35b42-c35b47 call c35d90 360 c35b4c-c35b52 358->360 362 c35c42-c35c62 call c51280 360->362 363 c35b0d 360->363 378 c35c26 362->378 379 c35c14-c35cc0 362->379 363->362 364 c35b13 363->364 366 c35c8f-c35c96 364->366 368 c35c29 366->368 369 c35c98-c35c9a 366->369 371 c35cc2-c35cc9 call c352a0 368->371 372 c35c2f-c35c36 368->372 370 c35c9c 369->370 381 c35bfa 370->381 382 c35d0e-c35d18 370->382 387 c35ccb 371->387 388 c35c69 371->388 372->371 376 c35c3c 372->376 376->358 378->379 386 c35c28 378->386 379->371 381->382 389 c35c00 381->389 383 c35d54 382->383 384 c35d1a 382->384 392 c35d4b-c35d52 384->392 386->368 387->370 393 c35ccd 387->393 390 c35b68-c35d75 388->390 391 c35c6f 388->391 389->379 391->390 394 c35c75 391->394 392->383 395 c35d45-c35d47 392->395 393->370 396 c35ccf-c35ce4 CreateThread 393->396 394->366 398 c35d49 395->398 399 c35d5f 395->399 401 c35c01-c35c05 CloseHandle 396->401 402 c35cea 396->402 398->392 398->399 404 c35d65 399->404 407 c35d37-c35d41 401->407 402->401 405 c35cf0-c35cf6 402->405 404->404 407->392 409 c35d43 407->409 409->383
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                    • Instruction ID: 42965785af1faf843d9b00051d729b98162cc595bfdd4548688d0347fcbf7532
                                    • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                    • Instruction Fuzzy Hash: BE21033023CF40CFCB69AB19E4887B4B7E1EB5D318F6811A68467CF1E2CA24CE449356
                                    Function 00C35B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 410 c35b87-c35d01 CreateThread 414 c35d07 410->414 415 c35bb4 410->415 414->415 416 c35d0d 414->416 417 c35c01-c35c05 CloseHandle 415->417 418 c35cda-c35ce4 CreateThread 415->418 421 c35d37-c35d41 417->421 418->417 422 c35cea 418->422 423 c35d43 421->423 424 c35d4b-c35d52 421->424 422->417 425 c35cf0-c35cf6 422->425 428 c35d54 423->428 427 c35d45-c35d47 424->427 424->428 429 c35d49 427->429 430 c35d5f 427->430 429->424 429->430 432 c35d65 430->432 432->432
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                    • Instruction ID: 0496a2221e3805dc4ff6d28e7fae752db1d092af1d1ec665e8d274587bd8a99f
                                    • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                    • Instruction Fuzzy Hash: F8E0863062DB444FDB599B24581071D7AE5EB88318F1501CEC44AD71D1CB694A058792
                                    Function 00C3599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 433 c3599b-c3599e 434 c359f7 433->434 435 c359b8 call c50df0 433->435 436 c35a02 434->436 439 c359bd-c359c2 call c35d90 435->439 441 c359d4 436->441 442 c3597d 436->442 443 c359c7-c359ce 439->443 444 c3593b-c35a15 call c511a0 441->444 445 c359d8 441->445 442->441 446 c3597f-c35981 442->446 448 c359d0 443->448 449 c35a1a-c35a26 443->449 456 c359d9-c359de call c62190 445->456 447 c35983-c35a38 446->447 457 c35994-c3599c 447->457 458 c35a3e 447->458 448->449 453 c359d2-c359de 448->453 454 c359a1-c359b5 call c35e10 449->454 455 c35a2c-c35a34 449->455 453->457 466 c359e0 453->466 454->435 467 c35a08-c35a0b 454->467 455->456 456->457 456->466 457->436 463 c3599e 457->463 458->455 463->434 466->457 469 c359e2-c359ec 466->469 467->457 468 c35a0d 467->468 475 c35932 468->475 476 c35991 468->476 471 c35a62-c35a6e 469->471 472 c359ee-c359ef 469->472 473 c35a70 471->473 474 c35a75-c35ab3 call c51280 471->474 472->447 477 c359f1 call c69970 472->477 473->474 479 c35a72 473->479 487 c35ab5 474->487 488 c35abb-c35ac9 474->488 476->475 478 c35993 476->478 477->435 478->457 479->474 487->488 489 c35ab7-c35ab9 487->489 490 c35af2-c35af5 488->490 489->488 494 c35ad5 490->494 495 c35adb-c35adc 490->495 494->495 496 c35ad7-c35ad9 494->496 497 c35ae2 495->497 498 c35a45-c35a46 495->498 496->495 497->498 499 c35ae8 497->499 499->490
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: wcscpy
                                    • String ID:
                                    • API String ID: 1284135714-0
                                    • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                    • Instruction ID: 12e63d3664ec34d2d4f41083347c84974f02c51d16f4aba6dbc09d18fced6930
                                    • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                    • Instruction Fuzzy Hash: 8401F97093DF80CFD727971954453796691F754320F280596905ECB192C8344F02B781
                                    Function 00C35BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 500 c35be2-c35be5 501 c35be7-c35bef 500->501 502 c35bfc-c35c05 CloseHandle 500->502 503 c35ca3 501->503 509 c35d37-c35d41 502->509 506 c35ca5 503->506 507 c35ca8-c35cb3 call c35e10 503->507 506->507 510 c35ca7 506->510 514 c35d26 507->514 515 c35cb5 507->515 512 c35d43 509->512 513 c35d4b-c35d52 509->513 510->509 517 c35d54 512->517 516 c35d45-c35d47 513->516 513->517 521 c35d27-c35d2a call c35910 514->521 515->514 520 c35cb7 515->520 518 c35d49 516->518 519 c35d5f 516->519 518->513 518->519 525 c35d65 519->525 522 c35d5b-c35d5d 520->522 526 c35d2e 521->526 522->519 525->525 526->522
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                    • Instruction ID: 3e03092d81f6ac67b15309d279fd7e6fb23dbb1020c46dbd1e4560ccf0aed7fb
                                    • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                    • Instruction Fuzzy Hash: D2E02B31538F0ACFEB54A61ADE092B522C0E73C3A8F2409218C03CB120E514CF06AB02
                                    Function 00C38090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 527 c38090-c38096 528 c38184 527->528 529 c38186 CloseHandle 528->529 530 c3818c-c38192 528->530 529->530 531 c38115-c38118 530->531 532 c38194 530->532 534 c380a7 531->534 535 c38119-c3811a 531->535 532->531 533 c3819a 532->533 536 c3813c 533->536 535->534 537 c3811c 535->537 536->528 538 c3820f 537->538 539 c38215-c3821e 538->539 540 c3808e-c38096 538->540 539->540 542 c38224 539->542 540->528 540->534 543 c381d7-c381e6 call c6715c 542->543 544 c38226 542->544 553 c380ca-c3810f GetTokenInformation 543->553 554 c38089 543->554 544->543 545 c38228-c382ee call c35d90 544->545 557 c382f0 545->557 558 c3830c-c3831e 545->558 562 c38111 553->562 563 c3812d 553->563 554->553 556 c3808b 554->556 566 c3808c 556->566 557->558 564 c382f2 557->564 560 c382a1-c382ba call c35d90 call c3ec00 558->560 561 c38320 558->561 560->561 567 c38322 561->567 568 c382f7-c382fc call c35d90 561->568 562->563 569 c38113 562->569 570 c38133 563->570 571 c380a8 563->571 564->568 566->540 567->568 574 c38324-c38326 567->574 589 c38253-c38265 call c51280 568->589 590 c38302 568->590 569->531 570->536 572 c381ed-c381f0 570->572 575 c380aa-c380ad 571->575 578 c381f6 572->578 579 c380da-c380f1 572->579 580 c38328 574->580 581 c38163-c38170 call c67164 575->581 582 c380b3-c38203 575->582 578->579 586 c381fc 578->586 579->575 592 c38335 580->592 593 c382df-c3832b 580->593 581->529 600 c38172 581->600 582->581 598 c38209 582->598 596 c381fe-c38201 GetTokenInformation 586->596 589->580 606 c3826b 589->606 590->589 597 c38308-c3830a 590->597 603 c3826e-c38285 592->603 593->592 605 c3832d-c38331 593->605 596->538 610 c381b7 596->610 597->558 600->530 608 c38287 603->608 609 c3829b-c3829d 603->609 605->592 606->603 611 c38239 606->611 612 c3824c 608->612 609->560 610->538 613 c381b9-c381ca 610->613 611->580 614 c3823f-c38243 611->614 612->609 615 c3824e-c38252 612->615 618 c380f3 613->618 619 c381d0 613->619 614->568 614->612 615->603 618->566 620 c380f5 618->620 619->596 625 c380c3 619->625 620->566 624 c38077 620->624 624->543 625->596 626 c380c9 625->626 626->553
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                    • Instruction ID: 6b9d08aa84109981c3e6b90c98c6ae274f52a1c635a133ab8b828730c699a4cf
                                    • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                    • Instruction Fuzzy Hash: EAC04C6163DF4696567906491C1B0FC3B509602795F5C0446BC2681324DD558F4B51DB
                                    Function 00C3817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 627 c3817f 628 c38184 627->628 629 c38186 CloseHandle 628->629 630 c3818c-c38192 628->630 629->630 631 c38115-c38118 630->631 632 c38194 630->632 634 c380a7 631->634 635 c38119-c3811a 631->635 632->631 633 c3819a 632->633 636 c3813c 633->636 635->634 637 c3811c 635->637 636->628 638 c3820f 637->638 639 c38215-c3821e 638->639 640 c3808e-c38096 638->640 639->640 642 c38224 639->642 640->628 640->634 643 c381d7-c381e6 call c6715c 642->643 644 c38226 642->644 653 c380ca-c3810f GetTokenInformation 643->653 654 c38089 643->654 644->643 645 c38228-c382ee call c35d90 644->645 657 c382f0 645->657 658 c3830c-c3831e 645->658 662 c38111 653->662 663 c3812d 653->663 654->653 656 c3808b 654->656 666 c3808c 656->666 657->658 664 c382f2 657->664 660 c382a1-c382ba call c35d90 call c3ec00 658->660 661 c38320 658->661 660->661 667 c38322 661->667 668 c382f7-c382fc call c35d90 661->668 662->663 669 c38113 662->669 670 c38133 663->670 671 c380a8 663->671 664->668 666->640 667->668 674 c38324-c38326 667->674 689 c38253-c38265 call c51280 668->689 690 c38302 668->690 669->631 670->636 672 c381ed-c381f0 670->672 675 c380aa-c380ad 671->675 678 c381f6 672->678 679 c380da-c380f1 672->679 680 c38328 674->680 681 c38163-c38170 call c67164 675->681 682 c380b3-c38203 675->682 678->679 686 c381fc 678->686 679->675 692 c38335 680->692 693 c382df-c3832b 680->693 681->629 700 c38172 681->700 682->681 698 c38209 682->698 696 c381fe-c38201 GetTokenInformation 686->696 689->680 706 c3826b 689->706 690->689 697 c38308-c3830a 690->697 703 c3826e-c38285 692->703 693->692 705 c3832d-c38331 693->705 696->638 710 c381b7 696->710 697->658 700->630 708 c38287 703->708 709 c3829b-c3829d 703->709 705->692 706->703 711 c38239 706->711 712 c3824c 708->712 709->660 710->638 713 c381b9-c381ca 710->713 711->680 714 c3823f-c38243 711->714 712->709 715 c3824e-c38252 712->715 718 c380f3 713->718 719 c381d0 713->719 714->668 714->712 715->703 718->666 720 c380f5 718->720 719->696 725 c380c3 719->725 720->666 724 c38077 720->724 724->643 725->696 726 c380c9 725->726 726->653
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                    • Instruction ID: c1f1eec48696f2b4868630efcacf8d4ca668e1beedda0ecb8e2f06eca5c9b43c
                                    • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                    • Instruction Fuzzy Hash: 97C092A0678B0987513826892C0A0BD3AA04613BA0F0D4512FD268A368DD984F4B42E2

                                    Non-executed Functions

                                    Function 00C62D40 Relevance: 1.8, APIs: 1, Instructions: 321COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID: _clrfp
                                    • String ID:
                                    • API String ID: 3618594692-0
                                    • Opcode ID: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
                                    • Instruction ID: b7b08fd7b72afc30a09e93b0796eb3bdf37f29d66915edc4b6421a6a6c5c6244
                                    • Opcode Fuzzy Hash: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
                                    • Instruction Fuzzy Hash: B4B16A31610A5D8FDBA9CF1CC8CAB6677E0FF59304F198599E86ACB262C335D952CB01
                                    Function 00C5EEB0 Relevance: .7, Instructions: 737COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
                                    • Instruction ID: aced9e1f394c2d1740a3408650b3d1d5d186c70fa47c36cfecad040983deca44
                                    • Opcode Fuzzy Hash: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
                                    • Instruction Fuzzy Hash: 03F1A732668F1C079728EE9DAC8E2B573C2D3E8722F4A437F9805D3265DD75AC8185C2
                                    Function 00C37C00 Relevance: .4, Instructions: 370COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
                                    • Instruction ID: 0f55d5a71881dfc16bbb5d5e56a918e39c0ed1c96015c9df648268c5cea446fe
                                    • Opcode Fuzzy Hash: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
                                    • Instruction Fuzzy Hash: 5DC14A3242DB684ED32B9F7D98812E6F3E4FFD9319F41872AD9C5A3060DB3855478286
                                    Function 00C5A810 Relevance: .3, Instructions: 257COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
                                    • Instruction ID: 81878882f838a7c71bfcd71a9427000161ba3efb37b033e1f2411dee7fd754be
                                    • Opcode Fuzzy Hash: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
                                    • Instruction Fuzzy Hash: 6061E531A293894B930DC91D9C864517B92EAA651937CC3ECCDD28F387E862F517C3D2
                                    Function 00C379F0 Relevance: .2, Instructions: 200COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1f5d48277bc0f55615c85d5447f4aabc13901e765d7b4c94bbb2eede31096fc
                                    • Instruction ID: c00cc17ca08ed3c2e61101c402762fd99a63628e00dbfe91416c52aa389cc81a
                                    • Opcode Fuzzy Hash: a1f5d48277bc0f55615c85d5447f4aabc13901e765d7b4c94bbb2eede31096fc
                                    • Instruction Fuzzy Hash: B65171D0A3C7848BDB794B2E085427EBAB1EB95328F1D63DBE06AC2291D9244F41B355
                                    Function 00C593B0 Relevance: .2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
                                    • Instruction ID: dd5ab14a278209c2a8eb9a9065036ab52eaa82f327a7141319c9eec701cba398
                                    • Opcode Fuzzy Hash: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
                                    • Instruction Fuzzy Hash: 53510DB28183058F8308CF19C882126FBE5FB8A714B15855EE9D697212D731F9538FC2
                                    Function 00C592A0 Relevance: .1, Instructions: 137COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2120793118.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_c30000_AppVClient.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
                                    • Instruction ID: 95f53bcb3013ffc607570205fa4a55d7e593650cec09bf4caffca84637faaae4
                                    • Opcode Fuzzy Hash: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
                                    • Instruction Fuzzy Hash: C84182B69683048F830CDF14C883422B7E4FB8A719B25C56DD9D64B202DB31F953DAC2

                                    Execution Graph

                                    Execution Coverage:4.1%
                                    Dynamic/Decrypted Code Coverage:98.1%
                                    Signature Coverage:0%
                                    Total number of Nodes:106
                                    Total number of Limit Nodes:7
                                    execution_graph 5752 9981b1 5756 998075 5752->5756 5753 998186 CloseHandle 5753->5756 5754 9981ad GetTokenInformation 5754->5756 5755 9980ca GetTokenInformation 5755->5756 5756->5753 5756->5754 5756->5755 5757 9980a7 5756->5757 5821 998090 5824 998075 5821->5824 5822 998186 CloseHandle 5822->5824 5823 9980ca GetTokenInformation 5823->5824 5824->5822 5824->5823 5825 9980a7 5824->5825 5826 9981ad GetTokenInformation 5824->5826 5826->5824 5847 9957f0 5850 9955ac 5847->5850 5848 9955e9 5850->5847 5850->5848 5851 9b3870 5850->5851 5852 9b3876 5851->5852 5854 9b3893 5852->5854 5855 9b3720 5852->5855 5854->5850 5856 9a0c42 5855->5856 5856->5855 5857 99e050 VirtualAlloc 5856->5857 5858 9b37dd 5856->5858 5857->5856 5858->5854 5858->5858 5832 9952f4 5835 9952cb 5832->5835 5833 9953c4 GetSystemDefaultLangID 5834 9952b0 5833->5834 5835->5833 5835->5834 5827 9952b7 5828 9952b0 5827->5828 5830 9952c4 5827->5830 5829 9953c4 GetSystemDefaultLangID 5831 995475 5829->5831 5830->5828 5830->5829 5867 995b09 5868 995b16 5867->5868 5869 995c01 CloseHandle 5868->5869 5870 995cdf CreateThread 5868->5870 5872 995c20 5868->5872 5873 995d37 5869->5873 5870->5868 5870->5869 5874 9954a0 5870->5874 5859 9955ef 5862 9955ac 5859->5862 5860 9b3870 VirtualAlloc 5860->5862 5861 9955e9 5862->5860 5862->5861 5758 995b00 5759 995bba 5758->5759 5766 9a52c0 5759->5766 5761 995bc7 5765 995bde 5761->5765 5771 9b0080 5761->5771 5767 9a52c6 5766->5767 5770 9a52ce 5766->5770 5767->5770 5785 99e050 5767->5785 5770->5761 5777 9b0089 5771->5777 5772 9b03e0 GetComputerNameW 5772->5777 5773 9b0181 VirtualFree 5773->5777 5774 99e050 VirtualAlloc 5774->5777 5775 9b03bf GetUserNameW 5775->5777 5776 9b04d6 GetComputerNameW 5776->5777 5777->5772 5777->5773 5777->5774 5777->5775 5777->5776 5778 995c7b 5777->5778 5779 998070 5778->5779 5781 998075 5779->5781 5780 998186 CloseHandle 5780->5781 5781->5780 5782 9981ad GetTokenInformation 5781->5782 5783 9980ca GetTokenInformation 5781->5783 5784 9980a7 5781->5784 5782->5781 5783->5781 5784->5765 5786 99e0c3 5785->5786 5787 99e0d8 VirtualAlloc 5786->5787 5787->5786 5836 995860 5837 9a52c0 VirtualAlloc 5836->5837 5838 995869 5837->5838 5839 9b0080 5 API calls 5838->5839 5840 99587d 5839->5840 5841 998070 3 API calls 5840->5841 5842 995870 5841->5842 5788 995be2 5789 995bfc CloseHandle 5788->5789 5791 995be7 5788->5791 5789->5791 5792 995b42 5794 995b07 5792->5794 5794->5792 5797 995bb4 5794->5797 5799 995b68 5794->5799 5800 9952a0 5794->5800 5795 995cdf CreateThread 5796 995c01 CloseHandle 5795->5796 5795->5797 5804 9954a0 5795->5804 5796->5799 5797->5795 5797->5796 5797->5799 5803 9952ab 5800->5803 5801 9953c4 GetSystemDefaultLangID 5802 9952b0 5801->5802 5802->5794 5803->5801 5803->5802 5805 9954b5 5804->5805 5863 9955e4 5865 9955ac 5863->5865 5864 9b3870 VirtualAlloc 5864->5865 5865->5863 5865->5864 5866 9955e9 5865->5866 5811 995b87 CreateThread 5812 995b1c 5811->5812 5819 995810 5811->5819 5813 995c01 CloseHandle 5812->5813 5814 995cdf CreateThread 5812->5814 5817 995c20 5812->5817 5816 995d37 5813->5816 5814->5812 5814->5813 5818 9954a0 5814->5818 5820 995822 5819->5820 5885 995347 5886 9952cb 5885->5886 5887 9953c4 GetSystemDefaultLangID 5886->5887 5889 9952b0 5886->5889 5888 995475 5887->5888

                                    Executed Functions

                                    Function 009952A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 314 9952a0-9953fe 319 9d0d4c-9d0d4e 314->319 320 995400-995424 314->320 322 99539b 320->322 323 99542a 320->323 324 99539d-9953a1 322->324 325 995413-995419 322->325 323->322 326 995430-99543e 323->326 327 9952b0-9952b5 324->327 328 9953a7 324->328 329 995441-99544a 326->329 328->327 330 9953ad 328->330 334 995450 329->334 335 9953c4-9953ca GetSystemDefaultLangID 329->335 332 9953af 330->332 333 9953f3-9953f9 330->333 336 9953e0-9953f1 332->336 344 99532a 333->344 345 995355 333->345 342 995411 334->342 343 9953c1 334->343 338 995475-99547b 335->338 336->325 336->333 338->319 342->325 342->335 343->342 346 9953c3 343->346 344->345 348 99532c-99533f 344->348 349 9952e8-995363 345->349 350 9952d1-9952e7 345->350 351 99536b-99536f 348->351 356 9953d1-9953d5 349->356 357 995365 349->357 350->349 351->329 352 995375-995390 351->352 352->346 358 995392-99539a 352->358 356->324 359 9953d7 356->359 357->356 360 995367-995369 357->360 358->324 359->336 361 995342-995345 359->361 360->351 361->320 362 99534b 361->362 362->320 363 995351-995353 362->363 363->345
                                    APIs
                                    • GetSystemDefaultLangID.KERNELBASE ref: 009953C4
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: DefaultLangSystem
                                    • String ID:
                                    • API String ID: 706401283-0
                                    • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                    • Instruction ID: 7e1f51885664d4502edf64c1499c77b036275aacca76b39c856f677499d9dcd5
                                    • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                    • Instruction Fuzzy Hash: A241E55140DE95CFDF27432C48662777BA89B223E2F9F08D7D496CA0F2E19C4C819726
                                    Function 009B0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 9b0080-9b0286 2 9b0099-9b0575 0->2 3 9b028c 0->3 7 9b057b 2->7 8 9b0155 2->8 5 9b0445 3->5 5->2 6 9b044b-9b0457 5->6 9 9b0458-9b0472 GetComputerNameW 6->9 7->8 10 9b0581-9b0587 7->10 11 9b02ef-9b0495 call 99e050 * 2 8->11 15 9b03ee-9b03f4 9->15 16 9b024c-9b0253 9->16 13 9b058b 10->13 11->9 50 9b043e 11->50 18 9b058c-9b0591 13->18 19 9b0181 VirtualFree 13->19 37 9b00da-9b023f 15->37 38 9b03fa 15->38 23 9b01e6 16->23 24 9b0255 16->24 21 9b04ab-9b04af 18->21 22 9b0597 18->22 20 9b01a8-9b02ac call 9c7164 19->20 28 9b02b1-9b02be 20->28 48 9b04c7 21->48 22->21 30 9b059d 22->30 27 9b01ec-9b0313 call 9c715c 23->27 23->28 31 9b02d3 24->31 53 9b0318-9b031e 27->53 33 9b03bf-9b03d9 GetUserNameW 28->33 34 9b02c4 28->34 30->21 31->23 36 9b02d9 31->36 43 9b0331 33->43 34->33 44 9b02ca 34->44 36->11 37->16 51 9b0241-9b024a 37->51 38->37 45 9b0400 38->45 54 9b0171 43->54 55 9b0337 43->55 44->31 52 9bb1ee-9bb49f 45->52 59 9b04cc-9b04e6 call 9c9970 GetComputerNameW 48->59 50->5 51->16 51->28 57 9b0568-9b056b 53->57 58 9b0324 53->58 60 9b013f-9b0146 54->60 61 9b0173 54->61 55->54 56 9b033d 55->56 63 9b05d0-9b05d9 56->63 57->59 58->57 65 9b032a 58->65 70 9b04ec-9b0514 59->70 71 9b0131 59->71 60->13 62 9b0230 61->62 62->48 67 9b0236-9b05c2 62->67 63->52 65->43 67->48 74 9b05c8-9b05c9 67->74 70->57 72 9b0089-9b008c 71->72 73 9b0137 71->73 72->20 76 9b0092 72->76 73->72 77 9b013d 73->77 74->63 76->20 78 9b0098 76->78 77->19 77->60 78->2
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: ComputerName
                                    • String ID:
                                    • API String ID: 3545744682-0
                                    • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                    • Instruction ID: 318193acf0547fbb5b573026f16a91d4196d427215b1f93992e386db591f7248
                                    • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                    • Instruction Fuzzy Hash: 1AD1E43151CB0D8BC728EF58D94A7EBB7D5FBE0320F184A1ED846C7164DA789A458AC2
                                    Function 00998070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 79 998070-99817e 81 99813d-9981a5 79->81 82 998180 79->82 97 9981bd-9981ca 81->97 98 9981a7 81->98 83 99815f 82->83 84 998184 82->84 83->81 88 998161 83->88 85 99818c-998192 84->85 86 998186 CloseHandle 84->86 89 998115-998118 85->89 90 998194 85->90 86->85 92 998163-998170 call 9c7164 88->92 94 998119-99811a 89->94 95 9980a7 89->95 90->89 96 99819a 90->96 92->86 102 998172 92->102 94->95 100 99811c 94->100 101 99813c 96->101 107 9981d0 97->107 108 9980f3 97->108 103 99820f 100->103 101->84 102->85 105 99808e-998096 103->105 106 998215-99821e 103->106 105->84 105->95 106->105 118 998224 106->118 115 9981fe-998201 GetTokenInformation 107->115 116 9980c3 107->116 110 99808c 108->110 111 9980f5 108->111 110->105 111->110 117 998077 111->117 115->103 130 9981b7 115->130 116->115 120 9980c9 116->120 121 9981d7-9981de call 9c715c 117->121 118->121 122 998226 118->122 126 9980ca-9980d8 GetTokenInformation 120->126 128 9981e3-9981e6 121->128 122->121 123 998228-9982ee call 995d90 122->123 145 99830c-99831e 123->145 146 9982f0 123->146 129 99810f 126->129 128->126 144 998089 128->144 131 99812d 129->131 132 998111 129->132 130->103 135 9981b9-9981bb 130->135 139 9980a8 131->139 140 998133 131->140 132->131 137 998113 132->137 135->97 137->89 142 9980aa-9980ad 139->142 140->101 143 9981ed-9981f0 140->143 142->92 147 9980b3-998203 142->147 148 9980da-9980f1 143->148 149 9981f6 143->149 144->126 150 99808b 144->150 154 9982a1-9982ba call 995d90 call 99ec00 145->154 155 998320 145->155 146->145 151 9982f2 146->151 147->92 158 998209 147->158 148->142 149->148 153 9981fc 149->153 150->110 157 9982f7-9982fc call 995d90 151->157 153->115 154->155 155->157 159 998322 155->159 169 998253-998265 call 9b1280 157->169 170 998302 157->170 159->157 163 998324-998326 159->163 166 998328 163->166 173 9982df-99832b 166->173 174 998335 166->174 169->166 179 99826b 169->179 170->169 175 998308-99830a 170->175 173->174 180 99832d-998331 173->180 178 99826e-998285 174->178 175->145 181 99829b-99829d 178->181 182 998287 178->182 179->178 184 998239 179->184 180->174 181->154 183 99824c 182->183 183->181 186 99824e-998252 183->186 184->166 185 99823f-998243 184->185 185->157 185->183 186->178
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                    • Instruction ID: 0a4014a1951fa1c364b71e9d3b7041d8048a6752aa969b61b9256ea71c967e7e
                                    • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                    • Instruction Fuzzy Hash: 9F61433060CA459FDF758B2C881877B7BA8FB57390F680A5EE45BC31A0DF288C468352
                                    Function 00995B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 187 995b09-995b3b 191 995cff-995d01 187->191 192 995bb4 191->192 193 995d07 191->193 194 995cda-995ce4 CreateThread 192->194 195 995c01-995d41 CloseHandle 192->195 193->192 196 995d0d 193->196 194->195 199 995cea 194->199 201 995d4b-995d52 195->201 202 995d43 195->202 199->195 203 995cf0-995cf6 199->203 204 995d45-995d47 201->204 205 995d54 201->205 202->205 203->191 206 995c20-995c68 203->206 208 995d49 204->208 209 995d5f 204->209 208->201 208->209 210 995d65 209->210 210->210
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                    • Instruction ID: b1c092ac289358fcd98f21ad272b8a8429bc7eb2b7edbf372381929755e1c95a
                                    • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                    • Instruction Fuzzy Hash: 6A01927010DF468FDF67572C9C1837B77D4AB55324F2B09ABC4C7CA0D5EA684905A712
                                    Function 00995910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 211 995910-995912 212 995950-995968 211->212 213 995915-995928 call 9c9970 211->213 212->213 214 99596a 212->214 220 9959b8 call 9b0df0 213->220 216 99592f 214->216 217 995970-99597b 214->217 216->213 219 995931-9a072c 216->219 221 99597d 217->221 222 9959d4 217->222 231 9a0732-9a0738 219->231 232 9a0806-9a0809 219->232 230 9959bd-9959c2 call 995d90 220->230 221->222 223 99597f-995981 221->223 225 9959d8-9959de 222->225 226 99593b-995a15 call 9b11a0 222->226 228 995983-995a38 223->228 240 9959e0 225->240 241 995994-99599c 225->241 228->241 243 995a3e 228->243 245 9959c7-9959ce 230->245 238 9a073e 231->238 239 9a0800 231->239 246 9a079d-9a07a6 232->246 238->239 247 9a0744-9a0774 238->247 239->232 244 9a06b3-9a06b7 239->244 240->241 257 9959e2-9959ec 240->257 254 99599e-9959f7 241->254 255 995a02 241->255 250 995a2c-995a34 243->250 244->246 256 9a06bd 244->256 251 995a1a-995a26 245->251 252 9959d0 245->252 248 9a07a8 246->248 249 9a0791-9a0793 246->249 264 9a077a-9a081c 247->264 265 9a06d5-9a06d9 247->265 248->249 260 9a07aa 248->260 267 9a07ca-9a07cc 249->267 261 9959d9-9959de call 9c2190 250->261 251->250 262 9959a1-9959b5 call 995e10 251->262 252->251 263 9959d2 252->263 254->255 255->217 256->246 268 9a06c3-9a07fe 256->268 258 9959ee-9959ef 257->258 259 995a62-995a6e 257->259 258->228 270 9959f1 258->270 273 995a70 259->273 274 995a75-995ab3 call 9b1280 259->274 260->267 261->240 261->241 262->220 285 995a08-995a0b 262->285 263->261 264->246 271 9a06db 265->271 272 9a06df 265->272 268->239 270->213 271->272 280 9a06dd 271->280 272->246 273->274 283 995a72 273->283 299 995abb-995ac9 274->299 300 995ab5 274->300 280->272 286 9ac0cc 280->286 283->274 285->241 287 995a0d 285->287 288 9ac0e8-9ac102 286->288 289 9ac0ce-9ac0d0 286->289 296 995991 287->296 297 995932 287->297 292 9ac0d2-9ac0df 288->292 293 9ac104 288->293 289->292 302 9ac0e7 292->302 293->292 293->302 296->297 301 995993 296->301 303 995af2-995af5 299->303 300->299 304 995ab7-995ab9 300->304 301->241 308 995adb-995adc 303->308 309 995ad5 303->309 304->299 310 995ae2 308->310 311 995a45-995a46 308->311 309->308 312 995ad7-995ad9 309->312 310->311 313 995ae8 310->313 312->308 313->303
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                    • Instruction ID: 8fceb520db467d50f50b7a6d392188be37ef6567eaa8d8ed10de84621d20dec2
                                    • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                    • Instruction Fuzzy Hash: CAF1282171CE488FDB6A971C59513FA73D2F7DA320F99459EE04FC3296DD289C468382
                                    Function 00995B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 364 995b42-995b47 call 995d90 366 995b4c-995b52 364->366 368 995b0d 366->368 369 995c42-995c62 call 9b1280 366->369 368->369 371 995b13 368->371 380 995c68 369->380 381 995c24 369->381 372 995c8f-995c96 371->372 374 995c29 372->374 375 995c98-995c9a 372->375 378 995c2f-995c36 374->378 379 995cc2-995cc9 call 9952a0 374->379 377 995c9c 375->377 385 995bfa 377->385 386 995d0e-995d18 377->386 378->379 384 995c3c 378->384 390 995c69 379->390 391 995ccb 379->391 387 995c14-995c19 381->387 388 995c26 381->388 384->364 385->386 392 995c00 385->392 393 995d1a 386->393 394 995d54 386->394 395 995cc0 387->395 396 995c20-995c21 387->396 388->387 397 995c28 388->397 399 995b68-995d75 390->399 400 995c6f 390->400 391->377 398 995ccd 391->398 392->387 401 995d4b-995d52 393->401 395->379 396->380 397->374 398->377 403 995ccf-995cdd 398->403 400->399 405 995c75 400->405 401->394 402 995d45-995d47 401->402 407 995d49 402->407 408 995d5f 402->408 406 995cdf-995ce4 CreateThread 403->406 405->372 409 995cea 406->409 410 995c01-995c05 CloseHandle 406->410 407->401 407->408 411 995d65 408->411 409->410 412 995cf0-995cf6 409->412 415 995d37-995d41 410->415 411->411 412->396 414 995cff-995d01 412->414 417 995bb4 414->417 418 995d07 414->418 415->401 416 995d43 415->416 416->394 417->410 419 995cda-995cdd 417->419 418->417 420 995d0d 418->420 419->406
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                    • Instruction ID: 73e7bccd0938c447e1933088e2ec6cb52898ce5f2e8c7f0ebe3bee80ff00ba16
                                    • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                    • Instruction Fuzzy Hash: 8E21B23020CF458FDF6B9B2C845877766E9AB59311F5B09A68087CF2D6EA28CC44D356
                                    Function 00995B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 421 995b87-995b99 CreateThread 424 995cff-995d01 421->424 425 995bb4 424->425 426 995d07 424->426 427 995cda-995ce4 CreateThread 425->427 428 995c01-995c05 CloseHandle 425->428 426->425 429 995d0d 426->429 427->428 432 995cea 427->432 433 995d37-995d41 428->433 432->428 436 995cf0-995cf6 432->436 434 995d4b-995d52 433->434 435 995d43 433->435 437 995d45-995d47 434->437 438 995d54 434->438 435->438 436->424 439 995c20-995c68 436->439 441 995d49 437->441 442 995d5f 437->442 441->434 441->442 443 995d65 442->443 443->443
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                    • Instruction ID: e0bec9f308ab4e61039d39e5155d7732c80c334bdbdf0158e00e3f997bafe22b
                                    • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                    • Instruction Fuzzy Hash: B9E0863060DF444FDF5B9B28981031A3AE5EB88310F1A05DEC44AD71D1DB6949058792
                                    Function 0099599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 444 99599b-99599e 445 9959f7 444->445 446 995a02 445->446 448 99597d 446->448 449 9959d4 446->449 448->449 450 99597f-995981 448->450 451 9959d8-9959de 449->451 452 99593b-995a15 call 9b11a0 449->452 453 995983-995a38 450->453 458 9959e0 451->458 459 995994-99599c 451->459 453->459 461 995a3e 453->461 458->459 464 9959e2-9959ec 458->464 459->446 463 99599e 459->463 462 995a2c-995a34 461->462 467 9959d9-9959de call 9c2190 462->467 463->445 465 9959ee-9959ef 464->465 466 995a62-995a6e 464->466 465->453 468 9959f1 call 9c9970 465->468 469 995a70 466->469 470 995a75-995ab3 call 9b1280 466->470 467->458 467->459 480 9959b8 call 9b0df0 468->480 469->470 475 995a72 469->475 484 995abb-995ac9 470->484 485 995ab5 470->485 475->470 483 9959bd-9959c2 call 995d90 480->483 489 9959c7-9959ce 483->489 487 995af2-995af5 484->487 485->484 488 995ab7-995ab9 485->488 500 995adb-995adc 487->500 501 995ad5 487->501 488->484 490 995a1a-995a26 489->490 491 9959d0 489->491 490->462 493 9959a1-9959b5 call 995e10 490->493 491->490 494 9959d2 491->494 493->480 499 995a08-995a0b 493->499 494->467 499->459 504 995a0d 499->504 502 995ae2 500->502 503 995a45-995a46 500->503 501->500 505 995ad7-995ad9 501->505 502->503 506 995ae8 502->506 508 995991 504->508 509 995932 504->509 505->500 506->487 508->509 510 995993 508->510 510->459
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: wcscpy
                                    • String ID:
                                    • API String ID: 1284135714-0
                                    • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                    • Instruction ID: c1e66d732b224f527dca0f85ec48c694ce6112ecfa8866b0668fb00bc32206c6
                                    • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                    • Instruction Fuzzy Hash: 3C01D66090EE80CFFF17A71C405537B6555B794330FAB095AA08ACB192C8384D009746
                                    Function 00995BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 511 995be2-995be5 512 995bfc-995c05 CloseHandle 511->512 513 995be7-995bef 511->513 520 995d37-995d41 512->520 514 995ca3 513->514 517 995ca8-995cb3 call 995e10 514->517 518 995ca5 514->518 527 995cb5 517->527 528 995d26 517->528 518->517 521 995ca7 518->521 522 995d4b-995d52 520->522 523 995d43 520->523 521->520 525 995d45-995d47 522->525 526 995d54 522->526 523->526 531 995d49 525->531 532 995d5f 525->532 527->528 529 995cb7 527->529 530 995d27-995d2a call 995910 528->530 533 995d5b-995d5d 529->533 537 995d2e 530->537 531->522 531->532 535 995d65 532->535 533->532 535->535 537->533
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                    • Instruction ID: c7fd87fc302d6e764ba1acd5242ae77c03c2d1407103774133f0be078fa3d8da
                                    • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                    • Instruction Fuzzy Hash: 01E0C27150CF0ACFEF57B61CC80927722C4D7283213270D218802D7150F41CCE066B12
                                    Function 00998090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 538 998090-998096 539 998184 538->539 540 99818c-998192 539->540 541 998186 CloseHandle 539->541 542 998115-998118 540->542 543 998194 540->543 541->540 544 998119-99811a 542->544 545 9980a7 542->545 543->542 546 99819a 543->546 544->545 547 99811c 544->547 548 99813c 546->548 549 99820f 547->549 548->539 550 99808e-998096 549->550 551 998215-99821e 549->551 550->539 550->545 551->550 553 998224 551->553 554 9981d7-9981e6 call 9c715c 553->554 555 998226 553->555 565 998089 554->565 566 9980ca-99810f GetTokenInformation 554->566 555->554 556 998228-9982ee call 995d90 555->556 567 99830c-99831e 556->567 568 9982f0 556->568 565->566 570 99808b 565->570 571 99812d 566->571 572 998111 566->572 574 9982a1-9982ba call 995d90 call 99ec00 567->574 575 998320 567->575 568->567 573 9982f2 568->573 576 99808c 570->576 580 9980a8 571->580 581 998133 571->581 572->571 578 998113 572->578 579 9982f7-9982fc call 995d90 573->579 574->575 575->579 582 998322 575->582 576->550 578->542 599 998253-998265 call 9b1280 579->599 600 998302 579->600 584 9980aa-9980ad 580->584 581->548 586 9981ed-9981f0 581->586 582->579 587 998324-998326 582->587 589 998163-998170 call 9c7164 584->589 590 9980b3-998203 584->590 591 9980da-9980f1 586->591 592 9981f6 586->592 594 998328 587->594 589->541 610 998172 589->610 590->589 608 998209 590->608 591->584 592->591 598 9981fc 592->598 605 9982df-99832b 594->605 606 998335 594->606 604 9981fe-998201 GetTokenInformation 598->604 599->594 615 99826b 599->615 600->599 607 998308-99830a 600->607 604->549 623 9981b7 604->623 605->606 617 99832d-998331 605->617 614 99826e-998285 606->614 607->567 610->540 619 99829b-99829d 614->619 620 998287 614->620 615->614 622 998239 615->622 617->606 619->574 621 99824c 620->621 621->619 626 99824e-998252 621->626 622->594 624 99823f-998243 622->624 623->549 625 9981b9-9981ca 623->625 624->579 624->621 629 9981d0 625->629 630 9980f3 625->630 626->614 629->604 635 9980c3 629->635 630->576 632 9980f5 630->632 632->576 636 998077 632->636 635->604 637 9980c9 635->637 636->554 637->566
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                    • Instruction ID: 0ebfad7ed046831af2fc8c07419aed7eb621a9afe250e7e6715db5aeb8359688
                                    • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                    • Instruction Fuzzy Hash: 32C04C6152D946966E79064C1C1B0B726589603755B1C084E9C0685220DE598E8351AB
                                    Function 0099817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 638 99817f 639 998184 638->639 640 99818c-998192 639->640 641 998186 CloseHandle 639->641 642 998115-998118 640->642 643 998194 640->643 641->640 644 998119-99811a 642->644 645 9980a7 642->645 643->642 646 99819a 643->646 644->645 647 99811c 644->647 648 99813c 646->648 649 99820f 647->649 648->639 650 99808e-998096 649->650 651 998215-99821e 649->651 650->639 650->645 651->650 653 998224 651->653 654 9981d7-9981e6 call 9c715c 653->654 655 998226 653->655 665 998089 654->665 666 9980ca-99810f GetTokenInformation 654->666 655->654 656 998228-9982ee call 995d90 655->656 667 99830c-99831e 656->667 668 9982f0 656->668 665->666 670 99808b 665->670 671 99812d 666->671 672 998111 666->672 674 9982a1-9982ba call 995d90 call 99ec00 667->674 675 998320 667->675 668->667 673 9982f2 668->673 676 99808c 670->676 680 9980a8 671->680 681 998133 671->681 672->671 678 998113 672->678 679 9982f7-9982fc call 995d90 673->679 674->675 675->679 682 998322 675->682 676->650 678->642 699 998253-998265 call 9b1280 679->699 700 998302 679->700 684 9980aa-9980ad 680->684 681->648 686 9981ed-9981f0 681->686 682->679 687 998324-998326 682->687 689 998163-998170 call 9c7164 684->689 690 9980b3-998203 684->690 691 9980da-9980f1 686->691 692 9981f6 686->692 694 998328 687->694 689->641 710 998172 689->710 690->689 708 998209 690->708 691->684 692->691 698 9981fc 692->698 705 9982df-99832b 694->705 706 998335 694->706 704 9981fe-998201 GetTokenInformation 698->704 699->694 715 99826b 699->715 700->699 707 998308-99830a 700->707 704->649 723 9981b7 704->723 705->706 717 99832d-998331 705->717 714 99826e-998285 706->714 707->667 710->640 719 99829b-99829d 714->719 720 998287 714->720 715->714 722 998239 715->722 717->706 719->674 721 99824c 720->721 721->719 726 99824e-998252 721->726 722->694 724 99823f-998243 722->724 723->649 725 9981b9-9981ca 723->725 724->679 724->721 729 9981d0 725->729 730 9980f3 725->730 726->714 729->704 735 9980c3 729->735 730->676 732 9980f5 730->732 732->676 736 998077 732->736 735->704 737 9980c9 735->737 736->654 737->666
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3341893983.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                    • Instruction ID: 6a90d42bd3a293ff1465b01179d1ac86244813da0b9dac14497396e5d752d484
                                    • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                    • Instruction Fuzzy Hash: 5DC092A055C509876D38268C2C0A0B3355C8613760F0C481FEC068A360DE598D8351B2

                                    Execution Graph

                                    Execution Coverage:0.8%
                                    Dynamic/Decrypted Code Coverage:5.9%
                                    Signature Coverage:9.8%
                                    Total number of Nodes:102
                                    Total number of Limit Nodes:9
                                    execution_graph 91831 425203 91832 42521c 91831->91832 91833 425267 91832->91833 91836 4252a7 91832->91836 91838 4252ac 91832->91838 91839 42ec73 91833->91839 91837 42ec73 RtlFreeHeap 91836->91837 91837->91838 91842 42cf43 91839->91842 91841 425274 91843 42cf60 91842->91843 91844 42cf71 RtlFreeHeap 91843->91844 91844->91841 91845 42ed53 91848 42cef3 91845->91848 91847 42ed6e 91849 42cf0d 91848->91849 91850 42cf1e RtlAllocateHeap 91849->91850 91850->91847 91851 424e73 91852 424e8f 91851->91852 91853 424eb7 91852->91853 91854 424ecb 91852->91854 91855 42cbc3 NtClose 91853->91855 91861 42cbc3 91854->91861 91857 424ec0 91855->91857 91858 424ed4 91864 42ed93 RtlAllocateHeap 91858->91864 91860 424edf 91862 42cbe0 91861->91862 91863 42cbf1 NtClose 91862->91863 91863->91858 91864->91860 91865 42fd73 91866 42ec73 RtlFreeHeap 91865->91866 91867 42fd88 91866->91867 91868 42c193 91869 42c1ad 91868->91869 91872 3972df0 LdrInitializeThunk 91869->91872 91870 42c1d5 91872->91870 91873 414213 91877 414233 91873->91877 91875 41429c 91876 414292 91877->91875 91878 41b923 RtlFreeHeap LdrInitializeThunk 91877->91878 91878->91876 91879 417d33 91880 417d57 91879->91880 91881 417d93 LdrLoadDll 91880->91881 91882 417d5e 91880->91882 91881->91882 91883 424a14 91884 424a35 91883->91884 91885 424a53 91884->91885 91886 424a68 91884->91886 91887 42cbc3 NtClose 91885->91887 91888 42cbc3 NtClose 91886->91888 91889 424a5c 91887->91889 91891 424a71 91888->91891 91890 424aa8 91891->91890 91892 42ec73 RtlFreeHeap 91891->91892 91893 424a9c 91892->91893 91894 3972b60 LdrInitializeThunk 91895 401c9b 91896 401cc0 91895->91896 91899 4301e3 91896->91899 91902 42e833 91899->91902 91903 42e859 91902->91903 91912 4076b3 91903->91912 91905 42e86f 91911 401d44 91905->91911 91915 41b613 91905->91915 91907 42e88e 91908 42e8a3 91907->91908 91909 42cf93 ExitProcess 91907->91909 91926 42cf93 91908->91926 91909->91908 91929 4169f3 91912->91929 91914 4076c0 91914->91905 91916 41b63f 91915->91916 91947 41b503 91916->91947 91919 41b684 91921 41b6a0 91919->91921 91924 42cbc3 NtClose 91919->91924 91920 41b66c 91922 41b677 91920->91922 91923 42cbc3 NtClose 91920->91923 91921->91907 91922->91907 91923->91922 91925 41b696 91924->91925 91925->91907 91927 42cfb0 91926->91927 91928 42cfbe ExitProcess 91927->91928 91928->91911 91930 416a0d 91929->91930 91932 416a26 91930->91932 91933 42d613 91930->91933 91932->91914 91935 42d62d 91933->91935 91934 42d65c 91934->91932 91935->91934 91940 42c1e3 91935->91940 91938 42ec73 RtlFreeHeap 91939 42d6cf 91938->91939 91939->91932 91941 42c200 91940->91941 91944 3972c0a 91941->91944 91942 42c22c 91942->91938 91945 3972c11 91944->91945 91946 3972c1f LdrInitializeThunk 91944->91946 91945->91942 91946->91942 91948 41b51d 91947->91948 91952 41b5f9 91947->91952 91953 42c283 91948->91953 91951 42cbc3 NtClose 91951->91952 91952->91919 91952->91920 91954 42c2a0 91953->91954 91957 39735c0 LdrInitializeThunk 91954->91957 91955 41b5ed 91955->91951 91957->91955

                                    Executed Functions

                                    Function 00417D33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 17 417d33-417d4f 18 417d57-417d5c 17->18 19 417d52 call 42f853 17->19 20 417d62-417d70 call 42fe53 18->20 21 417d5e-417d61 18->21 19->18 24 417d80-417d91 call 42e303 20->24 25 417d72-417d7d call 4300f3 20->25 30 417d93-417da7 LdrLoadDll 24->30 31 417daa-417dad 24->31 25->24 30->31
                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417DA5
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_svchost.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 0be3bc74d5995a7e08341bcaf2783a4711931e808e7d62a3eba1c5cca92af118
                                    • Instruction ID: ae2ee3aa123030a93371a90aae5c15a357f6186521cbecc4218c47f745088a53
                                    • Opcode Fuzzy Hash: 0be3bc74d5995a7e08341bcaf2783a4711931e808e7d62a3eba1c5cca92af118
                                    • Instruction Fuzzy Hash: FB0125B5E4410DABDF10DBE5DC42FDEB378AF54708F0081AAE90897241F635EB588755
                                    Function 0042CBC3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 42 42cbc3-42cbff call 404a03 call 42ddf3 NtClose
                                    APIs
                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CBFA
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_svchost.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 269f4b840767996b2b8e8b6d12307b5df4f825c3c4f1e0b30bb5cc6b1af6b3bc
                                    • Instruction ID: b057d5543e044f4a2c14d076f6298b435d6ddddfe311a738b28b53c9380460d5
                                    • Opcode Fuzzy Hash: 269f4b840767996b2b8e8b6d12307b5df4f825c3c4f1e0b30bb5cc6b1af6b3bc
                                    • Instruction Fuzzy Hash: F2E04F352542147BD620EA5ADC01FAB775CDBC5714F004419FA0867241CA74B90187F4
                                    Function 03972B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 56 3972b60-3972b6c LdrInitializeThunk
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 151f3ac5a8fa9762a6db999dbb57c66b435b333a2df877fb69d40c93a2a89f20
                                    • Instruction ID: 22c36522434eb6944a2960d28ddf6e72643fa080337c264e3b10282863818cec
                                    • Opcode Fuzzy Hash: 151f3ac5a8fa9762a6db999dbb57c66b435b333a2df877fb69d40c93a2a89f20
                                    • Instruction Fuzzy Hash: 99900261206504035105B2584458656404F87E0301B95C021E1014594DC62589916135
                                    Function 03972DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 57 3972df0-3972dfc LdrInitializeThunk
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 59c4f21452b4794254a7616726d19b579ffa29b915d72d3bd7481c6705e45172
                                    • Instruction ID: 0f3c359a53053e280df62dd54102a81f1997600eb213e6536177792b7b24990b
                                    • Opcode Fuzzy Hash: 59c4f21452b4794254a7616726d19b579ffa29b915d72d3bd7481c6705e45172
                                    • Instruction Fuzzy Hash: 7290023120550813E111B2584548747004E87D0341FD5C412A042455CD97568A52A131
                                    Function 039735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 58 39735c0-39735cc LdrInitializeThunk
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4be9a3a027b1213746c62ef976b0f763c22a985be547b845e1c0e620e8c3881e
                                    • Instruction ID: 4497bbe5aac9f59624acf363cc827cabf1ee1e51e0668e8625c02bc64c62714c
                                    • Opcode Fuzzy Hash: 4be9a3a027b1213746c62ef976b0f763c22a985be547b845e1c0e620e8c3881e
                                    • Instruction Fuzzy Hash: 7F90023160960802E100B2584558746104A87D0301FA5C411A042456CD87958A5165B2
                                    Function 0042CEF3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 32 42cef3-42cf34 call 404a03 call 42ddf3 RtlAllocateHeap
                                    APIs
                                    • RtlAllocateHeap.NTDLL(?,0041EAAB,?,?,00000000,?,0041EAAB,?,?,?), ref: 0042CF2F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_svchost.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 3420db10d073a5efad60dcfb74614f411e6747d31bb56159a71ed274f13e6f09
                                    • Instruction ID: fd1888a7282c7fb23df7204e591c46f02050297dd24ea3d1fc7722fdc3d89532
                                    • Opcode Fuzzy Hash: 3420db10d073a5efad60dcfb74614f411e6747d31bb56159a71ed274f13e6f09
                                    • Instruction Fuzzy Hash: 97E03976604204BBDA14EE59DC41E9B73ACEB85710F004019FA08A7241CA74B9148AB8
                                    Function 0042CF43 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 37 42cf43-42cf87 call 404a03 call 42ddf3 RtlFreeHeap
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,81B10E30,00000007,00000000,00000004,00000000,004175B4,000000F4), ref: 0042CF82
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_svchost.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 6c51d2db6ac27ed642035eaa4ff49f9d5eeaf71941817a7964db49ecfc6816b6
                                    • Instruction ID: fbd61fb0b741d82560c4d04101878cf5d23926d7f7be8b19f994aed718f924dd
                                    • Opcode Fuzzy Hash: 6c51d2db6ac27ed642035eaa4ff49f9d5eeaf71941817a7964db49ecfc6816b6
                                    • Instruction Fuzzy Hash: 1EE092752042447BDA14EE59DC41FDB73ADEFC5714F00401AF908A7241D774BD108BB8
                                    Function 0042CF93 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 47 42cf93-42cfcc call 404a03 call 42ddf3 ExitProcess
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2455438608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_svchost.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: c23a8e7ce5b4a8f13651262a731dd20522f451fad6c05e0ac0a6d8472d0eef3c
                                    • Instruction ID: 9b9881b542ed37be12066d1bb8c9db716c765d7113678b6f658dfca27e228aad
                                    • Opcode Fuzzy Hash: c23a8e7ce5b4a8f13651262a731dd20522f451fad6c05e0ac0a6d8472d0eef3c
                                    • Instruction Fuzzy Hash: 36E08C362102547BD620EB9ADC41F9BB76CEFC9724F40441AFA08B7642C6B4B90087F4
                                    Function 03972C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 52 3972c0a-3972c0f 53 3972c11-3972c18 52->53 54 3972c1f-3972c26 LdrInitializeThunk 52->54
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: fea47fb81015302c2983c049f450e4ff34636386537b9d3f34eba3efdfd9624c
                                    • Instruction ID: f1adfedf48a7cdca55495524b5188a0c29a4bede56addcfdf41bc260ae88798b
                                    • Opcode Fuzzy Hash: fea47fb81015302c2983c049f450e4ff34636386537b9d3f34eba3efdfd9624c
                                    • Instruction Fuzzy Hash: F0B09B719055C5C5EA11F760460C717794D67D0741F5DC4A1D3430645E4739C1D1E175

                                    Non-executed Functions

                                    Function 039B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-2160512332
                                    • Opcode ID: 50bc9ae0f48d6d5354d423fa5a1631bdd8d0cda1e1831f028af4c44d76b6c4c3
                                    • Instruction ID: d69db52b551a866e5df470c44937dedfa463479ddbd1a340b7523583f381ba76
                                    • Opcode Fuzzy Hash: 50bc9ae0f48d6d5354d423fa5a1631bdd8d0cda1e1831f028af4c44d76b6c4c3
                                    • Instruction Fuzzy Hash: 50925A75608745ABE721DF24C984BABB7F8FB84750F084D2DFA949B290D770E844CB92
                                    Function 03968620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                    Download Yara Rule
                                    Strings
                                    • Invalid debug info address of this critical section, xrefs: 039A54B6
                                    • undeleted critical section in freed memory, xrefs: 039A542B
                                    • 8, xrefs: 039A52E3
                                    • Thread is in a state in which it cannot own a critical section, xrefs: 039A5543
                                    • Critical section address., xrefs: 039A5502
                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 039A54CE
                                    • corrupted critical section, xrefs: 039A54C2
                                    • Critical section debug info address, xrefs: 039A541F, 039A552E
                                    • Critical section address, xrefs: 039A5425, 039A54BC, 039A5534
                                    • Address of the debug info found in the active list., xrefs: 039A54AE, 039A54FA
                                    • double initialized or corrupted critical section, xrefs: 039A5508
                                    • Thread identifier, xrefs: 039A553A
                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 039A540A, 039A5496, 039A5519
                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 039A54E2
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                    • API String ID: 0-2368682639
                                    • Opcode ID: 740501b9b2a64203f38ae1932668469de334c5d351b6f2527179ad5c5bef8b8d
                                    • Instruction ID: 73084797cd128bf1abbc5770032479d36276c20d40930c0f1d1a58e547873fbd
                                    • Opcode Fuzzy Hash: 740501b9b2a64203f38ae1932668469de334c5d351b6f2527179ad5c5bef8b8d
                                    • Instruction Fuzzy Hash: 7681D1B1A04758EFDB20CF98C840BAEBBF9FB89704F154259F554BB281D771A941CBA0
                                    Function 039629F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                    Download Yara Rule
                                    Strings
                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 039A2602
                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 039A2498
                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 039A2409
                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 039A2412
                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 039A261F
                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 039A2624
                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 039A25EB
                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 039A2506
                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 039A24C0
                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 039A22E4
                                    • @, xrefs: 039A259B
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                    • API String ID: 0-4009184096
                                    • Opcode ID: bf1a8bfc5e8b6d3e3de4817c353d278236c7771579b01a7a58a1330f335f5bcb
                                    • Instruction ID: 129ace27612eaae50794101a816764b734a74afc72bb7c8baab371778ac5fbf3
                                    • Opcode Fuzzy Hash: bf1a8bfc5e8b6d3e3de4817c353d278236c7771579b01a7a58a1330f335f5bcb
                                    • Instruction Fuzzy Hash: F40291B5D016299FDB30DB14CC80BDDB7B8AF45304F0449EAEA89A7241DB319E84CF99
                                    Function 039D8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                    • API String ID: 0-2515994595
                                    • Opcode ID: 790f934659534113daaac562eb42d5b40c68a9c87653eebedf2f83d90bbdc856
                                    • Instruction ID: 333cb799f38795e71747b816c7e97f7057d0bed748d1d80f48341b8ad0e661d7
                                    • Opcode Fuzzy Hash: 790f934659534113daaac562eb42d5b40c68a9c87653eebedf2f83d90bbdc856
                                    • Instruction Fuzzy Hash: 1A51B3725083459FC325DF688885BABB7ECEFD4290F18891DE859C7286E770D504C792
                                    Function 039E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                    • API String ID: 0-1700792311
                                    • Opcode ID: dea38113257449c34e3d44f597cc27254b967e2a8ff9236c64ffa144da7dd48f
                                    • Instruction ID: c61e003230c1e32b974cefe1a5427767954135faf23482bbcdaf96b0185dfd35
                                    • Opcode Fuzzy Hash: dea38113257449c34e3d44f597cc27254b967e2a8ff9236c64ffa144da7dd48f
                                    • Instruction Fuzzy Hash: F2D1EE7A604B85DFCB22EF6AC440AAEFBF5FF8A714F088049E4559B352D7B49941CB10
                                    Function 03962F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                    Download Yara Rule
                                    Strings
                                    • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 039A2881
                                    • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 039A29B1
                                    • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 039A29AC
                                    • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 039A2856
                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 039A292E
                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 039A28B2
                                    • @, xrefs: 03963180
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                    • API String ID: 0-541586583
                                    • Opcode ID: a77c33d6a0afc57e1557b54e091e737126f49e56ec797e218a6b97a0eb0a8936
                                    • Instruction ID: d8c2c95fa5a0612863df90fb71e0f5c60f189d54549fe607deea10b6dd21e5d2
                                    • Opcode Fuzzy Hash: a77c33d6a0afc57e1557b54e091e737126f49e56ec797e218a6b97a0eb0a8936
                                    • Instruction Fuzzy Hash: C0C1C775D056299BDB30DF59CC89BBAB3B8EF84750F0445E9E889AB250D7309E80CF91
                                    Function 039B89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                    Download Yara Rule
                                    Strings
                                    • VerifierFlags, xrefs: 039B8C50
                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 039B8A67
                                    • VerifierDlls, xrefs: 039B8CBD
                                    • AVRF: -*- final list of providers -*- , xrefs: 039B8B8F
                                    • HandleTraces, xrefs: 039B8C8F
                                    • VerifierDebug, xrefs: 039B8CA5
                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 039B8A3D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                    • API String ID: 0-3223716464
                                    • Opcode ID: 3bfdaa45e96f99e0fc906933608146a99d13677b8f534548561855e92c8aa22b
                                    • Instruction ID: 8870d7e1f83a0a935df5b3d9351ad41448d12775dad44b5a15fa08b3d3753528
                                    • Opcode Fuzzy Hash: 3bfdaa45e96f99e0fc906933608146a99d13677b8f534548561855e92c8aa22b
                                    • Instruction Fuzzy Hash: 88914872A49795AFD321EF2C8A80BAAB7FCFB89B50F050859F9456F241C7709C01C795
                                    Function 0393EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                    • API String ID: 0-1109411897
                                    • Opcode ID: 90b3c50b672d8755f4335478d7281eb2dbe7f0234314d35b94f107fb10bc0e73
                                    • Instruction ID: f902200167a36ad5664c1c2b6e1b7a0fad3bc94432525ff73139bf55156be90f
                                    • Opcode Fuzzy Hash: 90b3c50b672d8755f4335478d7281eb2dbe7f0234314d35b94f107fb10bc0e73
                                    • Instruction Fuzzy Hash: C5A229B5E056298FDF65DF19CD887A9B7B9AF45344F1442EAD80EA7250DB309E81CF00
                                    Function 039663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-792281065
                                    • Opcode ID: ba004e2b9ecff75c75ca8ba146d508fe05765f8ef5fa08f4d0dbb8e3343578ba
                                    • Instruction ID: ae47bf5286a47b9938d7bd1c3c439428b9ceb94e1743923422269e7a8cb349f4
                                    • Opcode Fuzzy Hash: ba004e2b9ecff75c75ca8ba146d508fe05765f8ef5fa08f4d0dbb8e3343578ba
                                    • Instruction Fuzzy Hash: 92912835A01B149FDB34EF1DD845BBEB7A8FB92B64F140669E8106B781D7B49802C7D0
                                    Function 0392645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 03989A11, 03989A3A
                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 03989A01
                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 039899ED
                                    • LdrpInitShimEngine, xrefs: 039899F4, 03989A07, 03989A30
                                    • apphelp.dll, xrefs: 03926496
                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 03989A2A
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-204845295
                                    • Opcode ID: 59048ea46a9bb3c21f04af13ac5229f5d0b34b923905a6687ecfd7b25def7dd6
                                    • Instruction ID: 0e2afac0d93df7e4b99c0b3a2195893b760fbf6d804ab84ca178d93c024a0e14
                                    • Opcode Fuzzy Hash: 59048ea46a9bb3c21f04af13ac5229f5d0b34b923905a6687ecfd7b25def7dd6
                                    • Instruction Fuzzy Hash: 4251D0752087049FE720EF28D881FBBBBE8FBC5644F040919F5969B195E770E904CB92
                                    Function 0396C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 0396C6C3
                                    • minkernel\ntdll\ldrredirect.c, xrefs: 039A8181, 039A81F5
                                    • LdrpInitializeProcess, xrefs: 0396C6C4
                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 039A81E5
                                    • Loading import redirection DLL: '%wZ', xrefs: 039A8170
                                    • LdrpInitializeImportRedirection, xrefs: 039A8177, 039A81EB
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                    • API String ID: 0-475462383
                                    • Opcode ID: b1b0b23647474cc58591791cc5fef1267e2a265016336a2ab174896076c0109b
                                    • Instruction ID: b608b8714d67b0814bf561a7171f2fb0c8608fa2bf8532b47960625313f69b8e
                                    • Opcode Fuzzy Hash: b1b0b23647474cc58591791cc5fef1267e2a265016336a2ab174896076c0109b
                                    • Instruction Fuzzy Hash: 7731F3757447059FD220FF2CDD45E2AB7A4EFC5B50F040A58F885AF291E620EC05CBA2
                                    Function 03962674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                    Download Yara Rule
                                    Strings
                                    • RtlGetAssemblyStorageRoot, xrefs: 039A2160, 039A219A, 039A21BA
                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 039A2180
                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 039A21BF
                                    • SXS: %s() passed the empty activation context, xrefs: 039A2165
                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 039A219F
                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 039A2178
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                    • API String ID: 0-861424205
                                    • Opcode ID: e3c66234572aadfc3582d9606aa12082e9a9e186e89204fdb68c86f0af20dd45
                                    • Instruction ID: 28411c707f380f2b1a793c86dc8e71d284bce08009be03d6f718a18b70fe90f4
                                    • Opcode Fuzzy Hash: e3c66234572aadfc3582d9606aa12082e9a9e186e89204fdb68c86f0af20dd45
                                    • Instruction Fuzzy Hash: 32310636E422197BE721CB9D8C85F6FB778DBD4A80F094969FA457B141D270EA00C6E1
                                    Function 0397096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 03972DF0: LdrInitializeThunk.NTDLL ref: 03972DFA
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03970BA3
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03970BB6
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03970D60
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03970D74
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                    • String ID:
                                    • API String ID: 1404860816-0
                                    • Opcode ID: 6a2d167c0623eb46ec5bb31ea74c0c3214fadc84a1631904d54f13b09fe5bd32
                                    • Instruction ID: 9c458fefbbc7cb18ce61998882ec81de872d70a6803b6311025fb5efdd318869
                                    • Opcode Fuzzy Hash: 6a2d167c0623eb46ec5bb31ea74c0c3214fadc84a1631904d54f13b09fe5bd32
                                    • Instruction Fuzzy Hash: 3E424D75900719DFDB60CF68C840BAAB7F9FF44314F1445AAE989DB281D770A984CFA0
                                    Function 0393A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                    • API String ID: 0-379654539
                                    • Opcode ID: 581af7cf39f7d28f843e32622fb8c077c54a9b2d9de7aec59afcfbf85182fb09
                                    • Instruction ID: d39939320f7ccfb33abb86ae383580ed3b1cb6745ecf55f4ae5f52aaeb3eb167
                                    • Opcode Fuzzy Hash: 581af7cf39f7d28f843e32622fb8c077c54a9b2d9de7aec59afcfbf85182fb09
                                    • Instruction Fuzzy Hash: 6FC188B52083869FDB11DF18C444B6AB7E8BF86744F044D6AF8D68B290E735C949CB52
                                    Function 03968402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 03968421
                                    • LdrpInitializeProcess, xrefs: 03968422
                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0396855E
                                    • @, xrefs: 03968591
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-1918872054
                                    • Opcode ID: 0ffa9c8587f3055eb6f8b4cfd20830f480197f805421d6e7c7a755ec5c4da062
                                    • Instruction ID: 7aef64098805c301249345e04e53b96fa8163a2cab92d9193b481b57bca66010
                                    • Opcode Fuzzy Hash: 0ffa9c8587f3055eb6f8b4cfd20830f480197f805421d6e7c7a755ec5c4da062
                                    • Instruction Fuzzy Hash: E1919975619345AFD721EF24C894FABBBECFB85784F44096EFA8496190E330D904CB62
                                    Function 0396273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                    Download Yara Rule
                                    Strings
                                    • SXS: %s() passed the empty activation context, xrefs: 039A21DE
                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 039A22B6
                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 039A21D9, 039A22B1
                                    • .Local, xrefs: 039628D8
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                    • API String ID: 0-1239276146
                                    • Opcode ID: 89dde5d5ce70890d450f283dd7cc567bc168c1ed35cacb691338638f9f17b6ee
                                    • Instruction ID: 7e4962f4ea1cf0eb1bab7db506c99623977414be242232fe87093935aca4fa8a
                                    • Opcode Fuzzy Hash: 89dde5d5ce70890d450f283dd7cc567bc168c1ed35cacb691338638f9f17b6ee
                                    • Instruction Fuzzy Hash: C1A1A43590122DDFDB24CF54DD84BA9B3B9BF98354F1949E9D888AB251D7309E80CF90
                                    Function 03964AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                    Download Yara Rule
                                    Strings
                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 039A342A
                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 039A3456
                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 039A3437
                                    • RtlDeactivateActivationContext, xrefs: 039A3425, 039A3432, 039A3451
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                    • API String ID: 0-1245972979
                                    • Opcode ID: e76504264f90a33e3480fd85b107ed14ab5c84815f9e80a5f4321e4a696991fd
                                    • Instruction ID: 1544dd04260b881ed69bfecf62df8e66e4c4993e0629eabdc800354b5f9409c2
                                    • Opcode Fuzzy Hash: e76504264f90a33e3480fd85b107ed14ab5c84815f9e80a5f4321e4a696991fd
                                    • Instruction Fuzzy Hash: 7261F476605B129FC722CF59C881B6AF3E9EF80B90F19866DE8659F240D734E811CBD1
                                    Function 039364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                    Download Yara Rule
                                    Strings
                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0399106B
                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 03990FE5
                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 03991028
                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 039910AE
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                    • API String ID: 0-1468400865
                                    • Opcode ID: 017c346cea24d766766ea99a2b3695b4b4ad8ed3421eb9d23bd2a9072e8d7fb9
                                    • Instruction ID: 7a8ae4295089d110ce86eac1714881488089d01a9a9cc68539df9bcdbc75f3a5
                                    • Opcode Fuzzy Hash: 017c346cea24d766766ea99a2b3695b4b4ad8ed3421eb9d23bd2a9072e8d7fb9
                                    • Instruction Fuzzy Hash: BA71B2B5904304AFDB20DF14C8C5B9B7BACEF857A0F440469F8498B286D734D588CBD1
                                    Function 0395245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 0399A9A2
                                    • apphelp.dll, xrefs: 03952462
                                    • LdrpDynamicShimModule, xrefs: 0399A998
                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0399A992
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-176724104
                                    • Opcode ID: db998c4c631632e85cf55de8b3b3045a23343590f50ed205ed75c7d5dc660c77
                                    • Instruction ID: 377a32835b67e91977978cfb0d6d888bf36612b08c0ec6d07aee682e6b0f5000
                                    • Opcode Fuzzy Hash: db998c4c631632e85cf55de8b3b3045a23343590f50ed205ed75c7d5dc660c77
                                    • Instruction Fuzzy Hash: 60310775A00201ABEF30EF5D9841A7AB7BDFB85B40F29045AED116B255C7B49D82C780
                                    Function 039429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                    Download Yara Rule
                                    Strings
                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0394327D
                                    • HEAP[%wZ]: , xrefs: 03943255
                                    • HEAP: , xrefs: 03943264
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                    • API String ID: 0-617086771
                                    • Opcode ID: 30591b5eead1c6ca9fea8f65940a1793974af2bed5148ddad214bfb989dbf298
                                    • Instruction ID: cd2441026bb131ba493d6fe1e6cadca93226ab5b6fe7afa862be4b2ba6256021
                                    • Opcode Fuzzy Hash: 30591b5eead1c6ca9fea8f65940a1793974af2bed5148ddad214bfb989dbf298
                                    • Instruction Fuzzy Hash: E392CD75E042499FDB25CF68C480BAEBBF5FF49300F188899E899AB391D735A941CF50
                                    Function 03940770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                    • API String ID: 0-4253913091
                                    • Opcode ID: 355d37bae5734528a0b440a5b3f83e37188ed1436f821ecc9d0ae0bde5514d89
                                    • Instruction ID: 6f8b2ff568ace9bb124aaec687a13639e0d5e7a48ba08e939577dae031ee7239
                                    • Opcode Fuzzy Hash: 355d37bae5734528a0b440a5b3f83e37188ed1436f821ecc9d0ae0bde5514d89
                                    • Instruction Fuzzy Hash: BBF1BA34A00605DFEB25CF68C984F6AF7B9FF85304F1986A9E5169B381D734E981CB90
                                    Function 03956962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $@
                                    • API String ID: 0-1077428164
                                    • Opcode ID: 7f399e6f18c5ba3b2661bdb25ef1fe0fb09fb1bdd74d2c8e394381f6d94ee109
                                    • Instruction ID: abf0408370907eac659142eb4798f084af61c75b930a9cfbbe71b04dd2b9010e
                                    • Opcode Fuzzy Hash: 7f399e6f18c5ba3b2661bdb25ef1fe0fb09fb1bdd74d2c8e394381f6d94ee109
                                    • Instruction Fuzzy Hash: F0C26E716083419FEB25CF68C881BABBBE9AFC8754F08896DFD8987240D734D945CB52
                                    Function 0392A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: FilterFullPath$UseFilter$\??\
                                    • API String ID: 0-2779062949
                                    • Opcode ID: 9101f1bbd8f7b6acda2b40542a4c183a7b3a1c7252b6f3d16a84f687cfe5bbf2
                                    • Instruction ID: 1418661ce880ccc7ea20cdd6277114132c14c7c52535380fb917e845dbe25c63
                                    • Opcode Fuzzy Hash: 9101f1bbd8f7b6acda2b40542a4c183a7b3a1c7252b6f3d16a84f687cfe5bbf2
                                    • Instruction Fuzzy Hash: 20A180769116299BDB31EF64CC88BAAF7B8EF84700F0401EAE909A7250D7359EC5CF50
                                    Function 03950BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 0399A121
                                    • Failed to allocated memory for shimmed module list, xrefs: 0399A10F
                                    • LdrpCheckModule, xrefs: 0399A117
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-161242083
                                    • Opcode ID: c8dda224a94ac3aa850d0da24c564eec48368860476997a41c34915a1fdd6450
                                    • Instruction ID: 886e4709ea4e1553bc80fed581919762a82f61b0f12850aa52e7e9062a9a174a
                                    • Opcode Fuzzy Hash: c8dda224a94ac3aa850d0da24c564eec48368860476997a41c34915a1fdd6450
                                    • Instruction Fuzzy Hash: 94719175A002059FDF24EF6CC985ABEB7F8FB85704F194469E8129B350E774AD82CB50
                                    Function 03940A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                    • API String ID: 0-1334570610
                                    • Opcode ID: c194cf319a55f0fc3d8b4bdcc8f0a9d4b1f6f7f6760a3449d1a25135b547753c
                                    • Instruction ID: 2cec0767f1645b643e6b5b533a42861a3368c9aed5502f00233d827825782c63
                                    • Opcode Fuzzy Hash: c194cf319a55f0fc3d8b4bdcc8f0a9d4b1f6f7f6760a3449d1a25135b547753c
                                    • Instruction Fuzzy Hash: AC61AB70600302DFEB29DF28C445B6AFBA9FF45308F19859AE5598F396D770E881CB94
                                    Function 0396C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 039A82E8
                                    • Failed to reallocate the system dirs string !, xrefs: 039A82D7
                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 039A82DE
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-1783798831
                                    • Opcode ID: 2a54f4419bec1ce4cedbb3282d076e2c21f2ce66028ce8f5af865c4dd2ca8654
                                    • Instruction ID: 32461e26e8a487fb19f9fc79c585feae59638cb6726d499e6200c9fb8325bd88
                                    • Opcode Fuzzy Hash: 2a54f4419bec1ce4cedbb3282d076e2c21f2ce66028ce8f5af865c4dd2ca8654
                                    • Instruction Fuzzy Hash: 9741D2B5546304ABCB24FB6CD844B6B7BECFB85690F04492AF988D72A0E774D8118B91
                                    Function 039EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    • @, xrefs: 039EC1F1
                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 039EC1C5
                                    • PreferredUILanguages, xrefs: 039EC212
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                    • API String ID: 0-2968386058
                                    • Opcode ID: 2ddac73613a42422a9baa379d8b847262b2ae76ea94d56a7e3dafe9e181b7245
                                    • Instruction ID: e8dd1758d072fe2ba91dcb278f8858817ad1cab4de82945fad01f8a6459bc4be
                                    • Opcode Fuzzy Hash: 2ddac73613a42422a9baa379d8b847262b2ae76ea94d56a7e3dafe9e181b7245
                                    • Instruction Fuzzy Hash: 46417C76A00209EFDB12DBD4C885FEEB7BCAB44740F04406AE945BB2A0D774DA448F90
                                    Function 039C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                    • API String ID: 0-1373925480
                                    • Opcode ID: 256049cd1ed7f8278670603ccf80e88c0678326626311336c402ec89372de6cd
                                    • Instruction ID: ae86d3c9b462513a3ff2ed8767a1f8908a2499e4f9987a18076b70302a02a709
                                    • Opcode Fuzzy Hash: 256049cd1ed7f8278670603ccf80e88c0678326626311336c402ec89372de6cd
                                    • Instruction Fuzzy Hash: 4141D676A10798CBEB26DBE6C950BADB7B8EF95380F18045DD841EF791D7348901CB12
                                    Function 039B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                    Download Yara Rule
                                    Strings
                                    • LdrpCheckRedirection, xrefs: 039B488F
                                    • minkernel\ntdll\ldrredirect.c, xrefs: 039B4899
                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 039B4888
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                    • API String ID: 0-3154609507
                                    • Opcode ID: ffd506117d69edf62b034cdd3e0f5336292c51ae11681349bd20aa393c7fdc99
                                    • Instruction ID: 965d261897a4a692da8e63a2fb52c9d840ddc2dd9184d89fba98bfe125a560ab
                                    • Opcode Fuzzy Hash: ffd506117d69edf62b034cdd3e0f5336292c51ae11681349bd20aa393c7fdc99
                                    • Instruction Fuzzy Hash: B341A472A047509FCB21DE6EDA80AA6B7F8EF89690B09055DEC599B252D730D800DBD1
                                    Function 03940BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                    • API String ID: 0-2558761708
                                    • Opcode ID: e9d168d358a9998998403c32118aaa296eb2879fec1a8f7a019ae76b60dc9881
                                    • Instruction ID: e25d471816019861cbcbe7165d64be6673209bf171040b162f5d78353413ff94
                                    • Opcode Fuzzy Hash: e9d168d358a9998998403c32118aaa296eb2879fec1a8f7a019ae76b60dc9881
                                    • Instruction Fuzzy Hash: E1110F31315602CFEF69DA1AC440F3AF3A8EF82619F1A856AE106CB354DB30DC40C794
                                    Function 039B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrinit.c, xrefs: 039B2104
                                    • Process initialization failed with status 0x%08lx, xrefs: 039B20F3
                                    • LdrpInitializationFailure, xrefs: 039B20FA
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                    • API String ID: 0-2986994758
                                    • Opcode ID: 0f0c6a745a97cf90d2f3fbc3c70722a7dfca3a7ba11c4816eae69b2314ff9498
                                    • Instruction ID: c9c36d8e935324a1fe40f754bbf28b8c2cbaa8761c66fa64e7c0104dcd4ba416
                                    • Opcode Fuzzy Hash: 0f0c6a745a97cf90d2f3fbc3c70722a7dfca3a7ba11c4816eae69b2314ff9498
                                    • Instruction Fuzzy Hash: 2DF0FF34A4030CAFEA20F70C9D02FAA776CEB81A44F040854F6807B282D2A0A910CA80
                                    Function 039403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: #%u
                                    • API String ID: 48624451-232158463
                                    • Opcode ID: 05ac4d80521534740c1b340b90f23cf691e2a06614ce38aefa4892721fc5ebd2
                                    • Instruction ID: aa5caf0ee2674910c882c48b069fb72f8ee79e918b643c12953bf88da6a55fc3
                                    • Opcode Fuzzy Hash: 05ac4d80521534740c1b340b90f23cf691e2a06614ce38aefa4892721fc5ebd2
                                    • Instruction Fuzzy Hash: D7714876A0024A9FDB11DFA9D990FAEB7B8FF48344F154065E905AB251EB34ED01CBA0
                                    Function 0393A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                    Download Yara Rule
                                    Strings
                                    • LdrResSearchResource Exit, xrefs: 0393AA25
                                    • LdrResSearchResource Enter, xrefs: 0393AA13
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                    • API String ID: 0-4066393604
                                    • Opcode ID: b976ffc3ce7dbca3149f4f3f6982cb4b0d82a6bfedd0908d9e483150ca4f7cac
                                    • Instruction ID: 16d1c5ed8f7043b1e7c0a4531f084f77b72fb22b873052f3a8966dec9c2919b7
                                    • Opcode Fuzzy Hash: b976ffc3ce7dbca3149f4f3f6982cb4b0d82a6bfedd0908d9e483150ca4f7cac
                                    • Instruction Fuzzy Hash: E4E171B5E04259AFFF21CF99C980BAEB7BEEF46350F184566E881EB250D7349940CB50
                                    Function 039FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: `$`
                                    • API String ID: 0-197956300
                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                    • Instruction ID: 75f2055069398e11555b9e184f66e0f150bfd4e2bed071104b21c25bc9590444
                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                    • Instruction Fuzzy Hash: 79C1AD312043469FDB24CF28C845B6BFBE9AFC4358F184A2DFA998A290D775D505CF91
                                    Function 039AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID: Legacy$UEFI
                                    • API String ID: 2994545307-634100481
                                    • Opcode ID: 109e89091eeb97a5cf7604b1297ba1d6bbbf050488b69738bd5d5a92849c2e21
                                    • Instruction ID: 289261c020d7710c597e868ebd9038b901cc9d9e87199c2c992051ce6cb7be22
                                    • Opcode Fuzzy Hash: 109e89091eeb97a5cf7604b1297ba1d6bbbf050488b69738bd5d5a92849c2e21
                                    • Instruction Fuzzy Hash: 43614D71E007199FDB24DFACC880BAEBBB9FB44744F14456DE659EB291D731A900CB90
                                    Function 039D43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$MUI
                                    • API String ID: 0-17815947
                                    • Opcode ID: 73bf806b47548d22d4b6305956b93f56eaabf2912c7298ec67b807b9fb6192ce
                                    • Instruction ID: 68df01f30a4ed38e6c097ca816119e8e86e77927bb2a6265011970b17eba0b5b
                                    • Opcode Fuzzy Hash: 73bf806b47548d22d4b6305956b93f56eaabf2912c7298ec67b807b9fb6192ce
                                    • Instruction Fuzzy Hash: 745117B5E0021DAEDF11DFA6CC81AEEBBBCEB44794F144529E911BB290DA309D45CB60
                                    Function 039304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                    Download Yara Rule
                                    Strings
                                    • kLsE, xrefs: 03930540
                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0393063D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                    • API String ID: 0-2547482624
                                    • Opcode ID: 4d9037e0f814e7b8124d0313c7ea54000e7d48c9891ac5ecae43449684dbe4c9
                                    • Instruction ID: a72628b606adcf13e22edbabfdf8a1bb23f1d78fe9df5b185b1343fdb5ed6671
                                    • Opcode Fuzzy Hash: 4d9037e0f814e7b8124d0313c7ea54000e7d48c9891ac5ecae43449684dbe4c9
                                    • Instruction Fuzzy Hash: B751BCB56447468FC724EF69C4406A7B7E8EF86308F08893EE9AB87341E770D545CB92
                                    Function 0393A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                    Download Yara Rule
                                    Strings
                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 0393A309
                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 0393A2FB
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                    • API String ID: 0-2876891731
                                    • Opcode ID: 743802aa2cb41b778a22da1ed3bc35173ec6527b94ae00845e24cd8f6e78def8
                                    • Instruction ID: 782c1b191ed4ce64c4821c0f016ff5903b752123ae55062e3bbb91d801d67160
                                    • Opcode Fuzzy Hash: 743802aa2cb41b778a22da1ed3bc35173ec6527b94ae00845e24cd8f6e78def8
                                    • Instruction Fuzzy Hash: 4941AEB5A04749DBDB15CF69C880B69B7F8EF86740F1844A6EC84DB291E335D900CB52
                                    Function 0396A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID: Cleanup Group$Threadpool!
                                    • API String ID: 2994545307-4008356553
                                    • Opcode ID: 5684379fa7d2eebf5870c6b194f113862eed107a1e3e2e4e2cfd8c24468a69bf
                                    • Instruction ID: ff746a788e2b6de282a380dbb4e5c5d28a22a0eb257a09bc9c939130f7b6de18
                                    • Opcode Fuzzy Hash: 5684379fa7d2eebf5870c6b194f113862eed107a1e3e2e4e2cfd8c24468a69bf
                                    • Instruction Fuzzy Hash: D70128B2255744AFD321EF18CD45F2677E8E784715F018939B568CB1E0E374D804CB46
                                    Function 0393C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: MUI
                                    • API String ID: 0-1339004836
                                    • Opcode ID: c5869f5d5af128af60f9f003e70931508d2dedd21069382f86f4fa7161b98629
                                    • Instruction ID: dd789eee05f56e87c203449610f0186b6f0595c52082f59d0cc82054e964beae
                                    • Opcode Fuzzy Hash: c5869f5d5af128af60f9f003e70931508d2dedd21069382f86f4fa7161b98629
                                    • Instruction Fuzzy Hash: F88269B5E006198BDB24CFA9C894BEDF7B9FF4A750F188169E819AB290D7309D41CF50
                                    Function 03932FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PATH
                                    • API String ID: 0-1036084923
                                    • Opcode ID: ccee017647309a72bcfe73c82eff8f5e52f739e554123c8171d0bdad52fabe9b
                                    • Instruction ID: 1bc99b66f7d926faa42c611979f8649ecb43b3030d2e92432e74a5f2fc3a2980
                                    • Opcode Fuzzy Hash: ccee017647309a72bcfe73c82eff8f5e52f739e554123c8171d0bdad52fabe9b
                                    • Instruction Fuzzy Hash: 55F1C2B9D40218EBCB25DFADD8C1ABEB7B5FF89700F498029E841AB250D7749C41CB61
                                    Function 039B6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: 26d628d9ad2a4e7f93609e53512309724693b21a87f0f5c56a7f096a758bf3a4
                                    • Instruction ID: 1777feb2c8d6fefceb6288325f744c219c51601e451384027003a241bf8b6359
                                    • Opcode Fuzzy Hash: 26d628d9ad2a4e7f93609e53512309724693b21a87f0f5c56a7f096a758bf3a4
                                    • Instruction Fuzzy Hash: 7B917276A01219AFDB21EF95CD85FEEB7B8EF48B50F144065F600AB190D775AD40CBA0
                                    Function 039DE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: 51ee05d7dd36fe1a7318e7e3a800b9edfe9f8203fb91e3221970b9f6e003ab3e
                                    • Instruction ID: 138288dec5609e9c77dfec61dd502e0cb66a704930061281ecec69988e04e6c3
                                    • Opcode Fuzzy Hash: 51ee05d7dd36fe1a7318e7e3a800b9edfe9f8203fb91e3221970b9f6e003ab3e
                                    • Instruction Fuzzy Hash: 18918B36E01649BBDB22EBA5DC85FAFBB7DEF85780F144029F501AB250DB749901CB90
                                    Function 0396A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: GlobalTags
                                    • API String ID: 0-1106856819
                                    • Opcode ID: 48a4c3a81305dd66661619f9c849acf68294f6fff10de88e10649b0fee580add
                                    • Instruction ID: a283528f600af483c4dfe7417389bd88e129b1759ba2bde8cfe9eb080c06b757
                                    • Opcode Fuzzy Hash: 48a4c3a81305dd66661619f9c849acf68294f6fff10de88e10649b0fee580add
                                    • Instruction Fuzzy Hash: FC716075E0071ADFDF28DF9CD5906ADBBB9BF88740F18866EE805AB240D7309941CB90
                                    Function 039D4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .mui
                                    • API String ID: 0-1199573805
                                    • Opcode ID: 3fc938d4b85bafb33f6603edc61f5d0ca6ef41392f9090fcc8e5ffca0939446a
                                    • Instruction ID: a5d768eae05e3a453143ad6d6193902c533daace2dec2afac076ff67348b1a36
                                    • Opcode Fuzzy Hash: 3fc938d4b85bafb33f6603edc61f5d0ca6ef41392f9090fcc8e5ffca0939446a
                                    • Instruction Fuzzy Hash: FF519676D0032A9FDF10DF9AD842AAEF7B8BF55B40F058129E911BB250DB349C01CBA4
                                    Function 0394E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: EXT-
                                    • API String ID: 0-1948896318
                                    • Opcode ID: cef1e388fe3cd23630d80e7536ff14966d6f001d2d010e0cb13a160f6e5ef00e
                                    • Instruction ID: c02d21a5a94c1a0908d82287e1d30d5e8f9f174afff0be719bfdc6fa3a685390
                                    • Opcode Fuzzy Hash: cef1e388fe3cd23630d80e7536ff14966d6f001d2d010e0cb13a160f6e5ef00e
                                    • Instruction Fuzzy Hash: A2415E76909311ABD720DA79C980F6BB7ECBFC8764F440D29F984DB180E774D9048796
                                    Function 039AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BinaryHash
                                    • API String ID: 0-2202222882
                                    • Opcode ID: ebf85ea5c4861ca3c6d405e762c170f96bfc16cafa22592bfd1f0f29ce611d63
                                    • Instruction ID: 6838345333d25508ed69878a86850a17e8d3b4f8081482ec84a3cf0f5a55b29d
                                    • Opcode Fuzzy Hash: ebf85ea5c4861ca3c6d405e762c170f96bfc16cafa22592bfd1f0f29ce611d63
                                    • Instruction Fuzzy Hash: 474142B5D0062DABDB21DB54CC84FDEB77CAB85714F0046A5AA08AF140DB709E898FE4
                                    Function 039B07C3 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Rbyu
                                    • API String ID: 0-3582017655
                                    • Opcode ID: 2ae9bd8d2f80e744b981528b3d5eed4ab8284cd779ea8a2c6adbf3a30194cea0
                                    • Instruction ID: fe5275545fbc64aa0a894a0999125060a3051a0d76d0fd566b696ac7d9e8732b
                                    • Opcode Fuzzy Hash: 2ae9bd8d2f80e744b981528b3d5eed4ab8284cd779ea8a2c6adbf3a30194cea0
                                    • Instruction Fuzzy Hash: C3417D72908304AFD320DF69C845BABBBE8FFC8654F004A2EF598D7291D7709905CB92
                                    Function 039C6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #
                                    • API String ID: 0-1885708031
                                    • Opcode ID: 659532d33528a1c2f3893eaf54b7de5803d0b18e0e9d8f4f0cc6ea201e2567b2
                                    • Instruction ID: cf2e8ed4a9d9696b910ba4967cde6925c7ca4c88a7a64d439403015597d5aba4
                                    • Opcode Fuzzy Hash: 659532d33528a1c2f3893eaf54b7de5803d0b18e0e9d8f4f0cc6ea201e2567b2
                                    • Instruction Fuzzy Hash: 2E311431A507899BDB21DB69C850BEEB7ACEF45744F1C406CEA41AB282C775DC05CB91
                                    Function 039ACA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BinaryName
                                    • API String ID: 0-215506332
                                    • Opcode ID: a1050a9441ffb06d41ed08bd5ac311089e8907cb6d6aea9bc0dac54098c5087f
                                    • Instruction ID: c7f1a4ab3e096b58b6f3d2ed2a357c9a0ed5a8371b683c199f1ba10dcb87f616
                                    • Opcode Fuzzy Hash: a1050a9441ffb06d41ed08bd5ac311089e8907cb6d6aea9bc0dac54098c5087f
                                    • Instruction Fuzzy Hash: 74310536940A1AAFEB15DB5CC845E7FF7B8EB80750F054269A811EF250D731AE00CBE0
                                    Function 039B892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    Strings
                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 039B895E
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                    • API String ID: 0-702105204
                                    • Opcode ID: c3e106c182141229206aa818a8e4e18bc1e4ae504e8d60bee5f6ce5ab23d3510
                                    • Instruction ID: 44a44cda2e9099aa91802cde6a5eaf01d9b787ac3e2e58ab2d3c4407ee60cc38
                                    • Opcode Fuzzy Hash: c3e106c182141229206aa818a8e4e18bc1e4ae504e8d60bee5f6ce5ab23d3510
                                    • Instruction Fuzzy Hash: 8C012B7A618354AFDB24EB59CE84BFABB7DFFCAAD0F080419E5411A151CB30AC41C792
                                    Function 039D2000 Relevance: .8, Instructions: 757COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 97db9f95a82e1085c21b19e5e4800934cd06c396cfad1934bf0f1772f8817a64
                                    • Instruction ID: 36a3da30f5a913ee31f3a7c175d84a1b977a36a10c5bda73808ba66774bf4c73
                                    • Opcode Fuzzy Hash: 97db9f95a82e1085c21b19e5e4800934cd06c396cfad1934bf0f1772f8817a64
                                    • Instruction Fuzzy Hash: 3F42BF366083419BD725CF68C892A6BF7E9AFC8380F088D2DF9C69B250D771D845CB52
                                    Function 039C8158 Relevance: .6, Instructions: 617COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8bf4a9828779acbd767f905fe3c837bfad3b1e01f670a4322d463b8fdada8264
                                    • Instruction ID: bfe7744c0543dd51ebd3376a7812b8e3fd0c6c5b4c59d43c42f2d93883848c87
                                    • Opcode Fuzzy Hash: 8bf4a9828779acbd767f905fe3c837bfad3b1e01f670a4322d463b8fdada8264
                                    • Instruction Fuzzy Hash: 0F426975A142599FDB24CF69C881BADF7F9BF88340F18819DE848EB241D734A981CF61
                                    Function 03942840 Relevance: .6, Instructions: 605COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6721f4f7a2b0f46d6221b503af747d14ffb7479e1de39df74b81096093b632c
                                    • Instruction ID: 3e3bba6fbea5648a1685d9701a724ace83ec6de4e77aa96f5608b8b8099e40cc
                                    • Opcode Fuzzy Hash: d6721f4f7a2b0f46d6221b503af747d14ffb7479e1de39df74b81096093b632c
                                    • Instruction Fuzzy Hash: CE32DC74A007558BEF24DF69C844BBEFBFABF84360F18455EE4869B284D735A842CB50
                                    Function 039DA118 Relevance: .6, Instructions: 591COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf011107f9c3e73bbc9caaf2fe8cd0d60dd1891d4aaa1d2a6ab661468acd0dee
                                    • Instruction ID: b0c5a91bff5abb96d5a9996b745b801d8b06b0df36e4e5580c4e099fbeb6164e
                                    • Opcode Fuzzy Hash: cf011107f9c3e73bbc9caaf2fe8cd0d60dd1891d4aaa1d2a6ab661468acd0dee
                                    • Instruction Fuzzy Hash: 6922CD746046518FDB24CF29C092376F7F5AF45380F0CC89AE9968F686E735E5A2CB60
                                    Function 03936A50 Relevance: .5, Instructions: 548COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b30fbf6e22a19abc3e671ded345652f8bf5471d0833ebf5c061b35e967bb963
                                    • Instruction ID: e1cd6d4ca2998f3c7d92de538ad5fa52469de0cced48da4adde7db29dd23bdaa
                                    • Opcode Fuzzy Hash: 0b30fbf6e22a19abc3e671ded345652f8bf5471d0833ebf5c061b35e967bb963
                                    • Instruction Fuzzy Hash: F8328CB5A05206DFDB24CF68C480BAEB7F9FF49340F18896AE955AB391D734E841CB50
                                    Function 03954A35 Relevance: .4, Instructions: 423COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                    • Instruction ID: 30cf69f4b8df4699d22f3f1940848b483630992238d42b610a9eebef00098510
                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                    • Instruction Fuzzy Hash: E9F15175E0021A9BDF54CF9AD580BAEF7B9AF48750F09856AFC05AB340E774E881CB50
                                    Function 039C892B Relevance: .4, Instructions: 386COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07839b9eb643196028fb6cd1adb95ee375fa70a7959bace75bc7d871b841370d
                                    • Instruction ID: 6f513f592e2b1898afd00c2e7e5d021f57d28d385cb2336b4c5a10a44e215f39
                                    • Opcode Fuzzy Hash: 07839b9eb643196028fb6cd1adb95ee375fa70a7959bace75bc7d871b841370d
                                    • Instruction Fuzzy Hash: B7D10172E1864A9BDF04CF68C841BFEB7F9AF88344F18856DD855A7240E735E902CB61
                                    Function 039365D0 Relevance: .4, Instructions: 383COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 223766143fdb2231144e827f60fb3d8d05c2daa2be2a386c293f05f0d6353d67
                                    • Instruction ID: 35ec59ce599636ff35e5874c53bedd4dc88c4489bb2c564a143c4c4dd301c8bd
                                    • Opcode Fuzzy Hash: 223766143fdb2231144e827f60fb3d8d05c2daa2be2a386c293f05f0d6353d67
                                    • Instruction Fuzzy Hash: 0FE18CB5508341DFC714DF28C0D0A6ABBE5FF8A358F09896DE8998B351DB31E905CB92
                                    Function 03928397 Relevance: .4, Instructions: 380COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3736c0d6d26d1a421a7e4a6328024a6a9f8e5f3e9d7f0676971fce1364d093cc
                                    • Instruction ID: 3cf020761bfaa3f149c3a2f518286beb52f8fccf628730a08db8b51fb0e4ec50
                                    • Opcode Fuzzy Hash: 3736c0d6d26d1a421a7e4a6328024a6a9f8e5f3e9d7f0676971fce1364d093cc
                                    • Instruction Fuzzy Hash: A5D1F675A04B2A9BCF14EF68C890FBEBBA9FF84354F084629E815DB284E734D940C750
                                    Function 039B8243 Relevance: .3, Instructions: 322COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                    • Instruction ID: fadb3faf0176fb3419d11061241dd78b3dafc9e07018947fab47ff3e3c3bcb1f
                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                    • Instruction Fuzzy Hash: 78B16075A04648AFDB24DF95CA40EEBB7BEFF88384F14446DE9429B790DA34E905CB10
                                    Function 03940535 Relevance: .3, Instructions: 300COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                    • Instruction ID: 366877a76eb31d49338d0c8da260b6567f2eb4c974b2e2c509db72002bd077d4
                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                    • Instruction Fuzzy Hash: ADB10475600645AFEF22DBA9C850FBEFBFAEF85200F190599D6469B381D730E941CB90
                                    Function 039383C0 Relevance: .3, Instructions: 281COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52dbcff7c63aff9e13c2d8037d7bd00e05bbebe834defe1651210e008aca94dc
                                    • Instruction ID: 638b1f1a1bbba3ff87afb3291a9ddf829f9e5304776465dc79d5f955a2306e37
                                    • Opcode Fuzzy Hash: 52dbcff7c63aff9e13c2d8037d7bd00e05bbebe834defe1651210e008aca94dc
                                    • Instruction Fuzzy Hash: 7AC14A741083418FEB64CF19C484BABB7E9FF88344F48495EE9898B290D774E948CF92
                                    Function 0392C427 Relevance: .3, Instructions: 280COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 203e722f99ad443fea862bf11b8fde8836629045206c9c6ff828b4bbf1910439
                                    • Instruction ID: 5cd849ccae8556e0cf6d83ac1e04a6c5c3623ec29eeb0dc45e7def3074277067
                                    • Opcode Fuzzy Hash: 203e722f99ad443fea862bf11b8fde8836629045206c9c6ff828b4bbf1910439
                                    • Instruction Fuzzy Hash: F2B16074A046658FDB64DF64C890BADB7B5EF84740F0485EAD40AEB284EB70DD85CF21
                                    Function 0395E5E7 Relevance: .3, Instructions: 278COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4d40381a5c63e4b3f866d85ff2f8ecc7166361bd698ecb4bc78cf4ac4c533147
                                    • Instruction ID: f081002b049661a97302e8a323ebb0a919c726de759d4f61de3fa2699a198a03
                                    • Opcode Fuzzy Hash: 4d40381a5c63e4b3f866d85ff2f8ecc7166361bd698ecb4bc78cf4ac4c533147
                                    • Instruction Fuzzy Hash: 68A12631E026189FEF21DB5CC844BEEF7A8EB45790F094162FD51AB290D7749E80CB91
                                    Function 03970185 Relevance: .3, Instructions: 276COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c580369e941c7327f4848b77b9be62db535fa51c20675e62bb2f1def0f7128c2
                                    • Instruction ID: 5e050afd59b0e335216f08f6e28e82ef55c0ac536ec00a17858dcd22263ada87
                                    • Opcode Fuzzy Hash: c580369e941c7327f4848b77b9be62db535fa51c20675e62bb2f1def0f7128c2
                                    • Instruction Fuzzy Hash: 6FA1BF71B0071ADBDB24DF69C990BAAB7B9FF44354F044529EA459B3C1EB34E812CB90
                                    Function 03A04500 Relevance: .3, Instructions: 275COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25d2d64f0e6bcf03ece9fecabe9d0f300e8782035ffb5cb6db0b92491410ff6b
                                    • Instruction ID: be02e0c10fa85b0f0a578c6a03dcae15d4a16847d87344e46b9806987bc82405
                                    • Opcode Fuzzy Hash: 25d2d64f0e6bcf03ece9fecabe9d0f300e8782035ffb5cb6db0b92491410ff6b
                                    • Instruction Fuzzy Hash: 92A1CD72A04611EFC725DF29D980B2AB7E9FF89304F05096EE6859B6A0D334EC01CF91
                                    Function 039B60E0 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 923403cc56f1149962156ec27f282e6daa7e1f904ec02503a54e3dfe99bfbdaa
                                    • Instruction ID: cadc97f2e586aa30f3d3041119a12eb041b2e7b8bd90b1a59a7fd24ab3d1c5d5
                                    • Opcode Fuzzy Hash: 923403cc56f1149962156ec27f282e6daa7e1f904ec02503a54e3dfe99bfbdaa
                                    • Instruction Fuzzy Hash: 0991C171E00219AFDB15CFA8D984BFEBBB9EF49740F154169E951EB340D738E9008BA0
                                    Function 0394E3F0 Relevance: .3, Instructions: 261COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ee828f50d237af1473309eb7ade8624dc6795d1265388e0149b171db31922c2
                                    • Instruction ID: d3a81b05c4a5ceebcf31b530685e1a3aa0f13e216263b210b59419b2a7181783
                                    • Opcode Fuzzy Hash: 4ee828f50d237af1473309eb7ade8624dc6795d1265388e0149b171db31922c2
                                    • Instruction Fuzzy Hash: DE912235E006159BEB24DB2DD884F7EB7A9FF84750F0944AAE8059F290E738DD41CB91
                                    Function 03986ACC Relevance: .2, Instructions: 226COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 55e403493cb7a8666862bf336ce3592d67296259e79911569e105ac6e0338f40
                                    • Instruction ID: 8d27f3d925b348fb6976fca9eb7348ed68920e7ef417fe5518eb2e3732bca7dd
                                    • Opcode Fuzzy Hash: 55e403493cb7a8666862bf336ce3592d67296259e79911569e105ac6e0338f40
                                    • Instruction Fuzzy Hash: 7F819371A006169FDB14DFA9D940ABEFBF9FB88704F04852EE545EB640E334E941CBA4
                                    Function 039FAB40 Relevance: .2, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                    • Instruction ID: 274fc331a4d6425430097105ab8fd7a9e112bbf4fc4721cc209c50b262c068ec
                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                    • Instruction Fuzzy Hash: F3816F36A1020A9FCF18DF99C890AAEB7B6FFC4354F188569DA1A9B344D734E901CF50
                                    Function 0396E284 Relevance: .2, Instructions: 212COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b0722dd0c47697ab3210ed944fb3e02eff813c4c46b44aeef906d0fc6d76892f
                                    • Instruction ID: bbe9074798bfd416cb41ca380c7a86a6437df919cdd4f14a8b0f68cc0ac44b69
                                    • Opcode Fuzzy Hash: b0722dd0c47697ab3210ed944fb3e02eff813c4c46b44aeef906d0fc6d76892f
                                    • Instruction Fuzzy Hash: 8A817C75E01709AFDB25CFA9C980EEEF7BAFB88340F144429E556A7250D730AC05CBA0
                                    Function 0394C640 Relevance: .2, Instructions: 206COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c69f79644cd5390361075b6a1de9872e95ddc76badbd60773fa13d9060063c1c
                                    • Instruction ID: 1e2ed8e36cb99fc7b4f8434262a4db134707c04b475ee3d5fde1f4f1ae75190b
                                    • Opcode Fuzzy Hash: c69f79644cd5390361075b6a1de9872e95ddc76badbd60773fa13d9060063c1c
                                    • Instruction Fuzzy Hash: 5B71EEB6C06225AFDB25DF5DC590BBEBBB8FF59700F14455AE842AB350E3309801CBA0
                                    Function 039E47A0 Relevance: .2, Instructions: 202COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6975b791f949b83d0ec589d610008129567127bb599f4959689d76223f903194
                                    • Instruction ID: 87496006287f9488ca7b5dc8bfd280638a52040ad4bd9aefbf9d54f3877e85db
                                    • Opcode Fuzzy Hash: 6975b791f949b83d0ec589d610008129567127bb599f4959689d76223f903194
                                    • Instruction Fuzzy Hash: C671D370902308EFDB21EF9AC945E6AFBF9FF90750F14425AE510AB2A8C7B5C901CB54
                                    Function 0394260B Relevance: .2, Instructions: 201COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ace1d1824d575bd4330d6517b33ccfea3a8ca9f5be7b459a9504fe91c96414ca
                                    • Instruction ID: 791c7301a5f4dcb021d15fdfe0822051e6d1a8c8525cca0af34ffa464511ae56
                                    • Opcode Fuzzy Hash: ace1d1824d575bd4330d6517b33ccfea3a8ca9f5be7b459a9504fe91c96414ca
                                    • Instruction Fuzzy Hash: A471C1756046419FD711DF28C480F2AB7E9FF88750F0989AAF899CB351EB34E846CB91
                                    Function 039B035C Relevance: .2, Instructions: 198COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                    • Instruction ID: f9a222c3f0d94e430f66883024022b1321a2b9552db90cc40a51e9ee02e9a63a
                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                    • Instruction Fuzzy Hash: 0F713E75E00619AFCB10DFA5CA84EEEBBB9FF88700F144569E505AB650DB34EA41CB90
                                    Function 039C62A0 Relevance: .2, Instructions: 198COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 21df5ae5694a914da9e6a7eabb68d56831c94adf165ed0e232b86854b8284433
                                    • Instruction ID: e90078a0329aa9e69ae3f576e9a864444313292ce734d0719eb19987ad45b626
                                    • Opcode Fuzzy Hash: 21df5ae5694a914da9e6a7eabb68d56831c94adf165ed0e232b86854b8284433
                                    • Instruction Fuzzy Hash: A971E136220B41AFEB31DF18C844FAAB7B9EF84760F18492CE5568B2E0D775E944CB51
                                    Function 03938AA0 Relevance: .2, Instructions: 197COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07e2bfe435d8b73d58fb97049dab71e4fd7196dd4c175970bddbe27d606d7a0c
                                    • Instruction ID: 1feae57abd2aba2a3bf03358801051bdd7b6de3dafa6e14b845bee3f028123d2
                                    • Opcode Fuzzy Hash: 07e2bfe435d8b73d58fb97049dab71e4fd7196dd4c175970bddbe27d606d7a0c
                                    • Instruction Fuzzy Hash: 9D81A0B2A0834A9FDB28CF9DD480B7DB7B9FF89750F19452AE8106B285C7349D41CB90
                                    Function 039D8350 Relevance: .2, Instructions: 161COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4f1c431c82a11cfc91dc0f918b6b6a1952a60390ca9c5d47d2a60879154779d
                                    • Instruction ID: 65f0e1a600629276fb294722c49839eaa26f83eb38534df277079a099efda90a
                                    • Opcode Fuzzy Hash: b4f1c431c82a11cfc91dc0f918b6b6a1952a60390ca9c5d47d2a60879154779d
                                    • Instruction Fuzzy Hash: FE51A070904704EFD720DF66C885AABFBFCBF94710F108A1ED1969B6A1D7B0A945CB90
                                    Function 0396E443 Relevance: .2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d771f72852604463a6b40a4cd7208907581a5920c1507d5b4c94e9bcf114d00
                                    • Instruction ID: d0d948fdd06bb22cd282bb20f14829f5316845e04006028501a2ad93d2b51f59
                                    • Opcode Fuzzy Hash: 2d771f72852604463a6b40a4cd7208907581a5920c1507d5b4c94e9bcf114d00
                                    • Instruction Fuzzy Hash: AA514A79611A05DFCB21EF69CAC0E6AB3FDFF44780F44096AE9429B260D734E951CB50
                                    Function 039D4180 Relevance: .2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa399d1fd254f4bb68814275b342783272efbe5bdc415ba370473d6b6c69178e
                                    • Instruction ID: 0a695ff612d05650125e9c10791891cf3085e561fb07892ad0dd21521c723d44
                                    • Opcode Fuzzy Hash: fa399d1fd254f4bb68814275b342783272efbe5bdc415ba370473d6b6c69178e
                                    • Instruction Fuzzy Hash: DA5168756083069FC754DF2AC982A6BF7E9BFC8244F84892DF489CB650DB30D905CB92
                                    Function 039545B1 Relevance: .2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                    • Instruction ID: aa6222bd00adf825b8cf0e1a3dfe79aefbc0341e4153e7ebd432c35d71d2083c
                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                    • Instruction Fuzzy Hash: D1519E75E0021AABDF15DF99C840BEEBBB9AF85350F04406AE901AB240D734ED84CBA4
                                    Function 039BE9E0 Relevance: .2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                    • Instruction ID: 258b2f9c6100d9b3a240d161e684c5ac81d7b5245b58314ab0d7672024fadbe8
                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                    • Instruction Fuzzy Hash: D151E535D0132AEFDF20DF95DA94BEEBBBCAF40364F154669D9126B290D7309E408B90
                                    Function 0392EFD8 Relevance: .2, Instructions: 153COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d79bdfc4eb13d0936a74a32bd2095adffc5dee5a619b9f8c9de4f4e883b660fc
                                    • Instruction ID: 1f1bd0010fd228fc8b4ca0beede0481f347ac27ee7cd8d3c12aa412d05e471c3
                                    • Opcode Fuzzy Hash: d79bdfc4eb13d0936a74a32bd2095adffc5dee5a619b9f8c9de4f4e883b660fc
                                    • Instruction Fuzzy Hash: C3518D756083519FC300EF29D884A6BBBE9EFC9754F14482DF899CB296D730E905CB92
                                    Function 039F8B28 Relevance: .2, Instructions: 152COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2783798598ec2969bd03f846162dbbb020367e25aa3abb10341645e722ffd49e
                                    • Instruction ID: 0faa4aed9dc8162d910fe177a76192f7a2351a7e4ed5655b128ffc9fefc1a7ab
                                    • Opcode Fuzzy Hash: 2783798598ec2969bd03f846162dbbb020367e25aa3abb10341645e722ffd49e
                                    • Instruction Fuzzy Hash: 3841D2707096119FC769DB29C895B7BF7DEEF807A1F088619EA658B290DB30D802C791
                                    Function 039BCBF0 Relevance: .1, Instructions: 148COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2ac2b94634047c652654ef4cadcecde5851af016b604b103f7774747fcf560b
                                    • Instruction ID: d2098c349338b05681432effdf085d3a98a0fbc11efb6630941b9ba6b5f855c4
                                    • Opcode Fuzzy Hash: b2ac2b94634047c652654ef4cadcecde5851af016b604b103f7774747fcf560b
                                    • Instruction Fuzzy Hash: 1451B07AA00215DFCB20EFA9CA809AEBBBDFF98794B154919D945A7300D774AD01CF90
                                    Function 0396A430 Relevance: .1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72511a646baf5a210f161c3da75f840e3da25ac087f94133402ad1a5ed3eff07
                                    • Instruction ID: f662fac03721d6af17f81455d3f911bfd0bac3c35a4549eda96491ce007f62b8
                                    • Opcode Fuzzy Hash: 72511a646baf5a210f161c3da75f840e3da25ac087f94133402ad1a5ed3eff07
                                    • Instruction Fuzzy Hash: 114112B5642300ABCB29FF6C9891B3E7768EB94B44F04146DED06AF241D7B198218794
                                    Function 039FA9D3 Relevance: .1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                    • Instruction ID: 1640a81bd51cbd598f30092ea7fb98061fec43644ee07e9462e223a13e2c600a
                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                    • Instruction Fuzzy Hash: E041EC316147569FD725CF24C984A6AF79EFF80250B09476EEA568B240EB31ED18CFD0
                                    Function 039601F8 Relevance: .1, Instructions: 138COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 71f99e71cd818cfe8a5d836217e6329cc331e7b0abb3f243db6d715388370cf3
                                    • Instruction ID: ed83bac4fa6198883f65aca3e06c8171ef958d7cedead2aab7c7576d83a7cd33
                                    • Opcode Fuzzy Hash: 71f99e71cd818cfe8a5d836217e6329cc331e7b0abb3f243db6d715388370cf3
                                    • Instruction Fuzzy Hash: 8C41A036D062159BCB14DF98C480AEDF7B8BF88750F58825AE816FB350D7359D41CBA4
                                    Function 0395EBFC Relevance: .1, Instructions: 138COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 59b22b40868ccacda91d892e486ec20cdf61b5aca114a323689468b383cd1644
                                    • Instruction ID: 9fb9fa888fafb4f4783e8a2bb6a035f5480eaed3d54ecbddf1233d10781e31a0
                                    • Opcode Fuzzy Hash: 59b22b40868ccacda91d892e486ec20cdf61b5aca114a323689468b383cd1644
                                    • Instruction Fuzzy Hash: FE41A472A043019FDB24DF28C884A67B7E9FF84354F044C6AF997C7611EB35E9858B51
                                    Function 03972750 Relevance: .1, Instructions: 137COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                    • Instruction ID: 7fea224a807d26ef8cd0004d35f3a3b3e2282d1582f5b7757747fb6d4650b12e
                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                    • Instruction Fuzzy Hash: FA513A75A00615DFCB15CF58C580AAEF7FAFF84750F2886A9D855A7350D730AE41CB90
                                    Function 03936154 Relevance: .1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c5b0da34defbf196d73e7f3099ca05a4db3b5af703821ff464a4021ec322c896
                                    • Instruction ID: 956c74d3f58164bbf2f69bd3df455fdf062be794af3332b8b4bb451fe1122fad
                                    • Opcode Fuzzy Hash: c5b0da34defbf196d73e7f3099ca05a4db3b5af703821ff464a4021ec322c896
                                    • Instruction Fuzzy Hash: AE512BB0904616EBDB25DB68CC44BB9BBB9FF42314F0842A5D469DB3D0E7789981CF40
                                    Function 03930BCD Relevance: .1, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1bb2ad03fd3555fa1142c77db129157a8087ec0c8854650c3092b36633a110ec
                                    • Instruction ID: 34e179bde768f8fd84d464ba30605c15762197f0772a7ae9ecf9769e7117c40c
                                    • Opcode Fuzzy Hash: 1bb2ad03fd3555fa1142c77db129157a8087ec0c8854650c3092b36633a110ec
                                    • Instruction Fuzzy Hash: 88417F76E002289BCB21EF68C940FEEB7B8EF85750F0504A5E949AB241D7749E84CF95
                                    Function 039F866E Relevance: .1, Instructions: 129COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                    • Instruction ID: d0f1ed0c6ce76a34e209f0891dd163fd8b6b16bbaba571ef8ca36cf28099f40b
                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                    • Instruction Fuzzy Hash: 3B41D376B04219AFDF54DF99CC85AAFBBBEAF88250F184069EA00A7341D670DD018760
                                    Function 03930887 Relevance: .1, Instructions: 128COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23d88125970821601e9e2065b43fce6fc2f7df5f36803b1b832da9f71874fa04
                                    • Instruction ID: 209775713bd22c884664eba43a5b5f3a4af3cc8129a16e5882a8c677ff1827b9
                                    • Opcode Fuzzy Hash: 23d88125970821601e9e2065b43fce6fc2f7df5f36803b1b832da9f71874fa04
                                    • Instruction Fuzzy Hash: 1E41B0B16007059FE324DF28C490A26F7F9FF8A354B148A6DE49B8BB50E731E845CB90
                                    Function 0395A470 Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c8e332883e84b135f57af34315de3e789e74425623aadfff560a9a72bf3e4c17
                                    • Instruction ID: a02d2db1af31f43b18c7fdd8696a426db0952da84cd8173e92fe0f7842a253a6
                                    • Opcode Fuzzy Hash: c8e332883e84b135f57af34315de3e789e74425623aadfff560a9a72bf3e4c17
                                    • Instruction Fuzzy Hash: 2241C431940204CFDF22DF6CD490BBEB7B4FB98750F184655E811AB291DB349982CB68
                                    Function 03938BF0 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 803768e405e515e313ce8e87f7e1c4630412c5240736bbd1fbabea189a571b6a
                                    • Instruction ID: 84e90b501d5271c353b75cf0c4b48f8d019256191f1dd6d3bf55fa7f3558d1c9
                                    • Opcode Fuzzy Hash: 803768e405e515e313ce8e87f7e1c4630412c5240736bbd1fbabea189a571b6a
                                    • Instruction Fuzzy Hash: 304122B6904305DBDB28EF4DC880A7ABBF5FBDAB00F15852AE8019B655C735D842CF90
                                    Function 03928918 Relevance: .1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b9e82b524ebf11af897fb17ec5aafb5f0a221fc46a373de90afc9a736a9c32e
                                    • Instruction ID: b72de76395d0534222aa89c7f8e580dd166743de91141c77c49547ceca0eb6cb
                                    • Opcode Fuzzy Hash: 2b9e82b524ebf11af897fb17ec5aafb5f0a221fc46a373de90afc9a736a9c32e
                                    • Instruction Fuzzy Hash: 82416F3A5087169ED311EF69C840A6BF7E9EF88B94F44092AF984D7250E730DE458B93
                                    Function 0392A020 Relevance: .1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                    • Instruction ID: 2ec39efd50007d142e90623ec2c8841a0cffd065eaee4f6d461c365c0a015e62
                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                    • Instruction Fuzzy Hash: 13414C32A00621DBCB20FF9584507BAFB7AEBC1794F1D806AE8458B244DA359D40CB90
                                    Function 039309AD Relevance: .1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb984c959dfaea2c5308682bc1a92a60c6d3d9fb5d39cf9c9519982d39fa2de4
                                    • Instruction ID: a303f218e719d1bcecace142f52733ada0310e7e1afab8540980a377a26200a8
                                    • Opcode Fuzzy Hash: fb984c959dfaea2c5308682bc1a92a60c6d3d9fb5d39cf9c9519982d39fa2de4
                                    • Instruction Fuzzy Hash: 2D4179B1A00700EFD720DF18D840B26B7E9FF89354F24896AE44ACB350E770E942CB91
                                    Function 03960710 Relevance: .1, Instructions: 121COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                    • Instruction ID: 10f74072acabd0f800fcdddcc727b22813b1781a1a1420cbf4bd17e42513d40b
                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                    • Instruction Fuzzy Hash: 7341F375A05705EFDB24CF98C980AAAB7F8FB18740B10496DE556DB790E730AA44CB90
                                    Function 0393262C Relevance: .1, Instructions: 119COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 37cc640688d5dda1e6933b43d30bd3b366249fcdfb4c06466856af2e784a325e
                                    • Instruction ID: 094935be55932ccfa9e0c15fe028a907be1e887288fc8d727d9f8459dc80ae9e
                                    • Opcode Fuzzy Hash: 37cc640688d5dda1e6933b43d30bd3b366249fcdfb4c06466856af2e784a325e
                                    • Instruction Fuzzy Hash: 0241E1B4501714DFCB21EF28D940A29B7FAFF86354F148AAAC4979B2A1DB30A941CB51
                                    Function 0396C8F9 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e4a89b7a92ef1bed5256cda8f4f8dce6ab376e85e605b11f73ccbe64e08be380
                                    • Instruction ID: f85620b8b970bffd0a1d56f531c471b8c583a14ef273ede9e7ecf142f040bc39
                                    • Opcode Fuzzy Hash: e4a89b7a92ef1bed5256cda8f4f8dce6ab376e85e605b11f73ccbe64e08be380
                                    • Instruction Fuzzy Hash: 7B3189B1A01744EFDB11DFA8D440B99BBF4FF49764F2485AAE019EB291D3369902CF90
                                    Function 039B05A7 Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 215a80fd7d11cd18fb4db337a31b81c788ee05ebbbe9d6563540d1418ba37543
                                    • Instruction ID: 99b89cd9d508d47f3e9eab46cb8727df29c2a501d79f359edfff962818746cac
                                    • Opcode Fuzzy Hash: 215a80fd7d11cd18fb4db337a31b81c788ee05ebbbe9d6563540d1418ba37543
                                    • Instruction Fuzzy Hash: C141B1766047459BC320EF68C980AABB7B9FFC8740F080619F8949B790E730E914C7A6
                                    Function 03934859 Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f20d9a37478037eab60b3ec75e4409da144a19647257b20535bf590a36ed365e
                                    • Instruction ID: 2a95b4c32314c7f425e192072fb0312b51a5fd138be7d544713db4d4e12bb38e
                                    • Opcode Fuzzy Hash: f20d9a37478037eab60b3ec75e4409da144a19647257b20535bf590a36ed365e
                                    • Instruction Fuzzy Hash: 4541D5B02083018FC724DF29D884B26B7EDFF82B90F1A446DE9458B2A0D774DC11CB51
                                    Function 039402E1 Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                    • Instruction ID: 2db284119b1cb4b6ed30c2a6f64bf56476d159362d2d91a92c2edcdfaaf79c32
                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                    • Instruction Fuzzy Hash: 2F31E432A04244AFDB22DB68CC44F9AFFE9FF45350F0885A6E855DB351E6749844CBA0
                                    Function 039DE3DB Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6775c446746a5411c6a366b8f6958d1011cc2c6760c361915341f2508c6a1c12
                                    • Instruction ID: 3449de649cc08e2e752c868e9c66af2a2e71afcece471ce2c93345594b8c2aee
                                    • Opcode Fuzzy Hash: 6775c446746a5411c6a366b8f6958d1011cc2c6760c361915341f2508c6a1c12
                                    • Instruction Fuzzy Hash: 81319939B51715ABD722EF658C81F6F76B9EB89B50F004028FA04AF2D1DAA4DD01C7E0
                                    Function 039E4B4B Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a78c2471a40dfbfa62af18450c3ba1f5e9b58abc1862e9834e3094c5bc6361fc
                                    • Instruction ID: 9eaf50f87c6f2ffc645ab4f6c047bdc0852c7395f4bba45a0619842a48d10907
                                    • Opcode Fuzzy Hash: a78c2471a40dfbfa62af18450c3ba1f5e9b58abc1862e9834e3094c5bc6361fc
                                    • Instruction Fuzzy Hash: 4131C4326056119FC322EF1ED880E6AB7EAFB85390F0D446DE8959B261D730E801CF91
                                    Function 03934260 Relevance: .1, Instructions: 102COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 696413099eab6f6c1071c94ad240388cef612f7048bf896f9197916dd1af86ea
                                    • Instruction ID: ee3bbc8e1029d03ddcdc06304870035fcb925a92fd0ba46f275d22d5cae77f00
                                    • Opcode Fuzzy Hash: 696413099eab6f6c1071c94ad240388cef612f7048bf896f9197916dd1af86ea
                                    • Instruction Fuzzy Hash: E441B175200B45DFDB22CF69C981FDAB7E9AF4A354F05482AE9A98F350D774E800CB50
                                    Function 039E4BB0 Relevance: .1, Instructions: 101COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ce94fd0703798e00bb9c82280a3d2f05d6126dd281b4770a86bad7e461a43e82
                                    • Instruction ID: 33d305d337ca6d4187c8d0829818512a85d81c9acd343126f853b6c01ddcf5c0
                                    • Opcode Fuzzy Hash: ce94fd0703798e00bb9c82280a3d2f05d6126dd281b4770a86bad7e461a43e82
                                    • Instruction Fuzzy Hash: 8231AD716043119FC321EF2AC881E6AB3E9FB84750F09496DF8999B390E730EC05CB92
                                    Function 039AEB1D Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33d4f09449eaa143384834796625d41a3187786fdbf2ee555bf164dc3d6d4087
                                    • Instruction ID: 65a01344d2a03f817739e146f77388f319405c9e98f4c1cae65176af5b189452
                                    • Opcode Fuzzy Hash: 33d4f09449eaa143384834796625d41a3187786fdbf2ee555bf164dc3d6d4087
                                    • Instruction Fuzzy Hash: 8B31F976B42B869BE322D76ECD4CF65B7ECBB407C4F1D01A0A9458B6D1DB68D840C2A0
                                    Function 039F61C3 Relevance: .1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cfc835da11c15a79ac57f59a7d9c2c14969d54d74fadbbe7ef29d8a3e714ab1a
                                    • Instruction ID: db392b800be53a77a2b3c88e9994523bfa1e47ba35c0ebf3565f1fbe3a8e3528
                                    • Opcode Fuzzy Hash: cfc835da11c15a79ac57f59a7d9c2c14969d54d74fadbbe7ef29d8a3e714ab1a
                                    • Instruction Fuzzy Hash: 6831A176A00219EFDB15DFA8C880FAEB7B9EB84740F454169E900EB284D774ED01CBA4
                                    Function 0395EB20 Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f325ae594200eaf58924f1ddb98845b9d27b61e803f56e7d9e2cba26b637d521
                                    • Instruction ID: fab9b15105221e0242b972b20d08dc2f6b3c7d069ea0230c99bfd09d136ce00a
                                    • Opcode Fuzzy Hash: f325ae594200eaf58924f1ddb98845b9d27b61e803f56e7d9e2cba26b637d521
                                    • Instruction Fuzzy Hash: C0319076E01219AFDB21DEAAC840AEEB7BDEB44751F014566F816EB250D2719A408B90
                                    Function 039D483A Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b518d279cba8df27dc814f47ab54e60aaac9ff6de8a51c7be8fc857e638586c
                                    • Instruction ID: 9f6ffcf6e658b83664f4ef4ac2236c59e33d4d8209b278b71438f3b9033c4bb3
                                    • Opcode Fuzzy Hash: 6b518d279cba8df27dc814f47ab54e60aaac9ff6de8a51c7be8fc857e638586c
                                    • Instruction Fuzzy Hash: 9B318376A4012CABCF21DF55DC85BDEB7BAEB88750F1440E5A509A7250CA30DE918F90
                                    Function 039F60B8 Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 529891b03ec17178661405d6d8f4cec97cc44f49a8fbff32d9a9b8293b1ab01e
                                    • Instruction ID: e898bcb712c397827a76ce4622a7b989edeae7eb0b89cfabb63aaf2c5efc2b15
                                    • Opcode Fuzzy Hash: 529891b03ec17178661405d6d8f4cec97cc44f49a8fbff32d9a9b8293b1ab01e
                                    • Instruction Fuzzy Hash: 6031E035B00315AFDB22EBA9C840F6FBBB9AB85354F1400A9E651DB381DA70DC008B90
                                    Function 039307AF Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b8fb31a68c0bd21de17806d5659e59b90da4535cf90a91efea54c4b01f70c93
                                    • Instruction ID: af2f81bd54ea1b14e724b8a0b1384ba4763b07dc3376da462025087c5be953db
                                    • Opcode Fuzzy Hash: 6b8fb31a68c0bd21de17806d5659e59b90da4535cf90a91efea54c4b01f70c93
                                    • Instruction Fuzzy Hash: C531C5B6E04715DBC711EE288890E6BBBA9EFC6750F054929FC569B310DA31DC1187D1
                                    Function 03938550 Relevance: .1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 77dc634da7af08610091483b878793557aaf105d4bf355b4f0c834e9358c6731
                                    • Instruction ID: 4fc1cb21810716c013cb200a697c696015f984495a2b16dac54c1fc77ffbd936
                                    • Opcode Fuzzy Hash: 77dc634da7af08610091483b878793557aaf105d4bf355b4f0c834e9358c6731
                                    • Instruction Fuzzy Hash: 35314BB16093019FE721CF19C840B2AF7E8EF88750F194DAEF8959B251D775E848CB92
                                    Function 0396A6C7 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                    • Instruction ID: dbbbc6aacf88a0c491c1005973406ab0bc14e20aab66b94095cccf411786c19f
                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                    • Instruction Fuzzy Hash: 813127B2B01B00AFD760CF6DDE41B57B7FCBB48A90F08092DA59AD3650E630E900CB64
                                    Function 039DEBD0 Relevance: .1, Instructions: 91COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b03bc88f68cb44b740b348ca012ab7d7c7e5fccb107e4a6a56863e68b420694
                                    • Instruction ID: 20ee161361dc01e801073cb526fc68037b88bab97cf30295ac2f55237ce6a34e
                                    • Opcode Fuzzy Hash: 0b03bc88f68cb44b740b348ca012ab7d7c7e5fccb107e4a6a56863e68b420694
                                    • Instruction Fuzzy Hash: DA3187B5909301DFCB14DF28C54196ABBF9FF8A654F088AAEE4889B251D330D905CB92
                                    Function 0395438F Relevance: .1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa8d5c53b81715675b6d42a1227ea9c30ab67db3fb41f4166cfa2bebaa505e3e
                                    • Instruction ID: fc50d0f40f3ffb03e58b0b1cd47f2eb785d93b887b2366deceddd84db72b795a
                                    • Opcode Fuzzy Hash: fa8d5c53b81715675b6d42a1227ea9c30ab67db3fb41f4166cfa2bebaa505e3e
                                    • Instruction Fuzzy Hash: 0531C431B003059FDB60EFA9C980A6FB7F9EB84745F00852AE845DB254D730E9C5CB90
                                    Function 0392CB7E Relevance: .1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                    • Instruction ID: 4c0ce3c6e96d2e3e962614dc8b7adaf71a28eccf80577430721cc30e7974fbc0
                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                    • Instruction Fuzzy Hash: BB21FD35E4165A6AC711DBB58441BAFFB79AF44780F058436AD55EB340E234D900C790
                                    Function 039EC3CD Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                    • Instruction ID: ac482ac57d051b11c0f9faa2e2b76794319a0387c7db9a4cbc19fb6c519f86cd
                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                    • Instruction Fuzzy Hash: BC210B3F60075576CB16EBA58C40ABAF7B8EFC0610F40801AFDE68A691F634D950C760
                                    Function 0392C156 Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 38603c69c4015bad5bfc2de783e21c9a1d74baf24f1716a63958a06dfa0ca3b3
                                    • Instruction ID: 186cb75c7105b5512383037f47628e3ce9bdf67a0cf939edfce31d7c49809342
                                    • Opcode Fuzzy Hash: 38603c69c4015bad5bfc2de783e21c9a1d74baf24f1716a63958a06dfa0ca3b3
                                    • Instruction Fuzzy Hash: A931E8B55003108BC734FF28C841B69B7B8EFC1354F5885A9DC859F3C1EA749986CB90
                                    Function 0392E420 Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ce8722a5af5ca08d193e88d25f68eb90db12ddc42436c7663f4b732a09dab2db
                                    • Instruction ID: d436ae7c82a268da7a23e52a0ab6260a71ac93bcddd9063ae01a9bf414585920
                                    • Opcode Fuzzy Hash: ce8722a5af5ca08d193e88d25f68eb90db12ddc42436c7663f4b732a09dab2db
                                    • Instruction Fuzzy Hash: 0431B635E41A2C9BDB31DF14CC81FEEBBBDEB45780F0505A1E545AB294D6749E808F90
                                    Function 03964588 Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                    • Instruction ID: 81631745fe48b265614d3596ae80694975cf8523226bd7e2cbfe9c385fbdda3d
                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                    • Instruction Fuzzy Hash: 2B218136A01709EFCB15DF99C984A8EBBB9FF48714F108069ED159F241D671EA05CB90
                                    Function 039644B0 Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: afb986859aadef861a6d1c9ef6bb535f45cb2a20ade223b10a68a94a0cf39c8e
                                    • Instruction ID: 701a63dfe1635c9d3dffd02329978dd5752a914a024baa119b671aabf3eae43c
                                    • Opcode Fuzzy Hash: afb986859aadef861a6d1c9ef6bb535f45cb2a20ade223b10a68a94a0cf39c8e
                                    • Instruction Fuzzy Hash: 4921D2726057559BCB22DF59C890F6BB7E8FF88760F044A19FC549B240DB30E901CBA2
                                    Function 0392E388 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                    • Instruction ID: f6c9162bee95dec2e18811bca55db2a96802c0f3afa8b4014961b20dde282136
                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                    • Instruction Fuzzy Hash: 73318B35A00A14EFD725DF68C884F6ABBF9EF85354F1449A9E5528B294E730EE02CB50
                                    Function 039AE609 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 800517555c8de8c4146a42e05ccb7d4b8ee7acef5310d0acb4efbb69d4cddd91
                                    • Instruction ID: 6c5adc0529ae0352faa8bcc2567f76beab29ba8f67db2dc6a103355d960ac79f
                                    • Opcode Fuzzy Hash: 800517555c8de8c4146a42e05ccb7d4b8ee7acef5310d0acb4efbb69d4cddd91
                                    • Instruction Fuzzy Hash: F3319F79A00606DFCB14EF1CC884DAEB7BAFF84304B154A59F8099B390E771EA41CB90
                                    Function 039B06F1 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ee1856c9e35ad6a5cd5fdab2fa8f15a942234af812e11baea2189701c01d32c
                                    • Instruction ID: aceda9996a59de6350558d11975a41c17ee8dcad066d4f27b3db02607bd1cafa
                                    • Opcode Fuzzy Hash: 2ee1856c9e35ad6a5cd5fdab2fa8f15a942234af812e11baea2189701c01d32c
                                    • Instruction Fuzzy Hash: A4218D75A00629ABCF20DF59C981ABFF7F8FF48740B550069E941AB250D778AD52CBA0
                                    Function 039B019F Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 068eaeae1394a98e5bbe2f1ce5d3f86b68032b425cd700a5d353669159216d5c
                                    • Instruction ID: 41e8dbec73f0be18f04361cabe82dfbed865382e2f25924a7b0e513108cee19b
                                    • Opcode Fuzzy Hash: 068eaeae1394a98e5bbe2f1ce5d3f86b68032b425cd700a5d353669159216d5c
                                    • Instruction Fuzzy Hash: A1219C75600644AFC715DBA9C984F6AB7B8FF88780F140169F944DB7A0D734ED50CBA8
                                    Function 039B0283 Relevance: .1, Instructions: 74COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9f9afc1704ae60c301afc01e83708721eae5f82071bbace311465c4cbffbfaee
                                    • Instruction ID: 045ca7fff82961806d46f7b72988fa7a59aec02d4845068eeb4feb239c36bf8f
                                    • Opcode Fuzzy Hash: 9f9afc1704ae60c301afc01e83708721eae5f82071bbace311465c4cbffbfaee
                                    • Instruction Fuzzy Hash: F9217F729043459BC711EF6ACA48F9BF7ECBFD1680F08445ABC908B251D734D959C6A2
                                    Function 03952835 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1a8f9471e9a98b426c1a84696405ac3f0d4f0a40fc30e198b23c502541dc5a97
                                    • Instruction ID: 734ae1c6c498a7b2cbfebedfb8fdb38a40937decd9c439e3c5fbe0196e178a0b
                                    • Opcode Fuzzy Hash: 1a8f9471e9a98b426c1a84696405ac3f0d4f0a40fc30e198b23c502541dc5a97
                                    • Instruction Fuzzy Hash: BE21D437705680ABE722D7AC8D44F257798EF817B4F2D07A1FE609F6E1DB68C8418240
                                    Function 0396A30B Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4a53155208f0d7ba547960c7c6c49e00f35313935df639aee31333dbf0f447c0
                                    • Instruction ID: df6c7005e7a5c9a978060c8f5611a867b8564c8683143dfe24ddbfc248848ead
                                    • Opcode Fuzzy Hash: 4a53155208f0d7ba547960c7c6c49e00f35313935df639aee31333dbf0f447c0
                                    • Instruction Fuzzy Hash: D921AC79201B109FC724DF29C900F56B7F5EF88744F1885A8A909CB761E331E842CB94
                                    Function 039B0946 Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c37acf192b8895ebcdcb246bccfb326928009d5a91f739a07e53daacdb8c67ac
                                    • Instruction ID: 54ced6b1b43bf7a545aa980dbfab34b389c2f2995f313decc9900b6613a943b7
                                    • Opcode Fuzzy Hash: c37acf192b8895ebcdcb246bccfb326928009d5a91f739a07e53daacdb8c67ac
                                    • Instruction Fuzzy Hash: 0B2114B5E00318ABCB20DFAAD9809EEFBF8FF98600F14012FE405A7250D7749941CB60
                                    Function 039C80A8 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                    • Instruction ID: 0c2f45c5468a2eee35821bba1efdc1d091fb8ea83de0f3ed075eb1e83c2c5c76
                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                    • Instruction Fuzzy Hash: 73216776A10249AFDB12DF98CC40FAFBBFAEF89360F214859F900A7250D734D9508B60
                                    Function 03960124 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                    • Instruction ID: cf2d0ee0fc3d36b938b577f10aab054bdba361ce3312ba8211d40573116be46c
                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                    • Instruction Fuzzy Hash: 7C11DD76602708BFD722DA84CC80FABBBBCEB81794F160429E6008F290D675ED44CB60
                                    Function 03938770 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ada5afb13f2a9cb02927c18022452ac4fb72e199242d776e99a1156486aea623
                                    • Instruction ID: 5d7db3406f7f6936631f099a7da0f0ced2a684ca6e01883cfbbe55750d10f147
                                    • Opcode Fuzzy Hash: ada5afb13f2a9cb02927c18022452ac4fb72e199242d776e99a1156486aea623
                                    • Instruction Fuzzy Hash: D911BFB5705620EBCB11CF5DC4C0A6AB7EAEF8B790B198069FD09DF205D6B2E9058790
                                    Function 0396AAEE Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                    • Instruction ID: 1a2be995eb9c32910057d6602088211e42efe481f99b27891941ea6eec1219e9
                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                    • Instruction Fuzzy Hash: 85219FB6611642DFC731DF69C540E66F7EAEB84B90F19857DE845AB610C730EC01CB90
                                    Function 039380E9 Relevance: .1, Instructions: 66COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 38cb2ebdc49e12d6f6b7e470db497694ba8e003434b42808230abfa5b476968e
                                    • Instruction ID: 35234398776605306c11da621a7835b8fd274ed43831cfbcd9136da1ac612838
                                    • Opcode Fuzzy Hash: 38cb2ebdc49e12d6f6b7e470db497694ba8e003434b42808230abfa5b476968e
                                    • Instruction Fuzzy Hash: 6B218175A04205DFCB14CF98C581A6EBBFAFB89314F24456DE505AB310D771AD0ACBD0
                                    Function 0396674D Relevance: .1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 569507ddce46c0e6359b2709b4e9eeea2d78154511af399fd723c89b5277f2f9
                                    • Instruction ID: b4dd941deb1841ff4eadc231a6c1da973f10d750316ed4219b803ec4dfeb9967
                                    • Opcode Fuzzy Hash: 569507ddce46c0e6359b2709b4e9eeea2d78154511af399fd723c89b5277f2f9
                                    • Instruction Fuzzy Hash: 33215C75612B00EFC720DF79C881F66B3E8FF84250F44882EE49AC7650DA70AC50CBA0
                                    Function 0395E8C0 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 362c2b5a3d34f1976df975f71737dc07cebbb75ef76b21aa28f4753abde67c91
                                    • Instruction ID: 3aa7f4666b2e066c549c89c79f7254d6734cece2eb02dad2950ea118b99547ab
                                    • Opcode Fuzzy Hash: 362c2b5a3d34f1976df975f71737dc07cebbb75ef76b21aa28f4753abde67c91
                                    • Instruction Fuzzy Hash: 1A114C377001145BCF19DB29CC90A6BB25ADBC53B0B29893AE913CB250EB31CC41C390
                                    Function 039C6870 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7be5cf2b68a02969c70c36d76f73a6051adba32533be7a36f66523da72d995ec
                                    • Instruction ID: de2ebef39d798bf711fc1e3f79bd736e7d08d924d0cfc25fb24cad3da27b8ee3
                                    • Opcode Fuzzy Hash: 7be5cf2b68a02969c70c36d76f73a6051adba32533be7a36f66523da72d995ec
                                    • Instruction Fuzzy Hash: 4611C136250644EFC722DB99C940F5AF7ACEF896A0F094068F6059B250DA70EC01C7A1
                                    Function 039666B0 Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e3ec2665d31b3494e28c7abc45e6cc67d7a37589ea21162861940e6dd77d9527
                                    • Instruction ID: 9329532fc6626ad7dc9acd0aab121d83ab95520764c3a67280f190f7d955d073
                                    • Opcode Fuzzy Hash: e3ec2665d31b3494e28c7abc45e6cc67d7a37589ea21162861940e6dd77d9527
                                    • Instruction Fuzzy Hash: 45119E76A02344EFCB25DF5DD580E5ABBEDEF94690F098079E905AB310D670DD01CBA0
                                    Function 03930AD0 Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                    • Instruction ID: 3d35d4f1647a7a2cc4258bf915cc2e723abcdf65c9770e22a44e1baf71bf4ce8
                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                    • Instruction Fuzzy Hash: 0F2106B5A00B059FD3A0CF29C440B52BBF4FB48B10F10492EE88ACBB50E371E814CB94
                                    Function 039FA8E4 Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                    • Instruction ID: c9ed3f8aa379f5f7cccabb0578bfb27e79646210a3029d1c9783ae29b7bba897
                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                    • Instruction Fuzzy Hash: 9511C436A00A15AFDB19CB54CC05B9DF7F5EFC4310F098269E95597340E671ED51CB80
                                    Function 039BE7E1 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                    • Instruction ID: 56aa575cb8948016ebce1b5feea38c9b926e0584bf34f6a87edb8895e0cf96c4
                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                    • Instruction Fuzzy Hash: 73114C36A00A00EFD721DF85DA44BD6B7FEEB85794F098428E9499B160DB71DD40DBD0
                                    Function 039527ED Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 45e7bdcbdff242d7c77e2a654b4f03dddb6534654511ae002cba154252f99e2a
                                    • Instruction ID: b9a33d8f688aaeb52faea9440d7161b044b146313179f5956e4ff5faebc184a5
                                    • Opcode Fuzzy Hash: 45e7bdcbdff242d7c77e2a654b4f03dddb6534654511ae002cba154252f99e2a
                                    • Instruction Fuzzy Hash: 8201C476605644ABE716E3AE9884F67A69CEF81394F090466F9408B650DA54DC00C2A1
                                    Function 03934690 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 625de5c665d127dde2b5bb0bd60860d54d71a6e775f3d2ab297bb94471e2e9e5
                                    • Instruction ID: b605443f13d73c8d398487800ee413567bc2fb3b3f28d3addf79435bb474c358
                                    • Opcode Fuzzy Hash: 625de5c665d127dde2b5bb0bd60860d54d71a6e775f3d2ab297bb94471e2e9e5
                                    • Instruction Fuzzy Hash: 9611CEBA241744AFCB25CF5FD944F56B7A8EB87BA4F0A451AF8158B290C370E840CF60
                                    Function 03966620 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 299572a3455459d8223a23a05bb2d4b5b78462f1f108155d1165fd0fb70fde89
                                    • Instruction ID: 5ba6f6c668b6b3a43f14a42c9f728a90f7dc826e975bfa5793f8784e8a8c90cb
                                    • Opcode Fuzzy Hash: 299572a3455459d8223a23a05bb2d4b5b78462f1f108155d1165fd0fb70fde89
                                    • Instruction Fuzzy Hash: E411E576A01715ABCB21FF69D9C0F5EF7BCEF89780F550055D901AB200D730AD018BA0
                                    Function 0395EA2E Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a2e6dfbc227862c790488df0d70e9ac40ab10b5fadcf4de75ceb5386ec13f762
                                    • Instruction ID: 93326377b00b7850ce5f16b996be69f1312cf9bb89e1188c3407529858fc045e
                                    • Opcode Fuzzy Hash: a2e6dfbc227862c790488df0d70e9ac40ab10b5fadcf4de75ceb5386ec13f762
                                    • Instruction Fuzzy Hash: 9501CC75D002089FD724EF29D408F66FBE9FBC6314F2481AAE4058B660D770ED86CB90
                                    Function 0395E53E Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                    • Instruction ID: 965b86b8abe3d012a671233c13b856e231cd061027732ad060d82abd65987d5e
                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                    • Instruction Fuzzy Hash: 2111C2766066C59BFF22DB2C8984B65B79CAB41B85F1D04E2ED42CB641F329CD82C350
                                    Function 039BE75D Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                    • Instruction ID: 37b4f46012a78788cc7e8cb1aefd7ed78a163db901f2252433620cc49d2fdb72
                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                    • Instruction Fuzzy Hash: E401DE76E00204AFD721DF5CEA84FDABBBDEB81B90F098424E9059B260E775DD40CB90
                                    Function 0392A250 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                    • Instruction ID: b9fbe614e58ff69758181f1a6731684e9453949929b217bbbe3f79357f6b9776
                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                    • Instruction Fuzzy Hash: BB01D672505B219BCB30CF55D840A36BFADEF457A0705896DFC958B694DB35D820CB60
                                    Function 03936259 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf0721868fcb0471ba51c0bbe9aea4c60ddde8000f799c42797870a572a14d68
                                    • Instruction ID: 777b34a909557bef5cdeadc918a967a1a8fe7eb6f2f99e85dd226a8b395522c7
                                    • Opcode Fuzzy Hash: cf0721868fcb0471ba51c0bbe9aea4c60ddde8000f799c42797870a572a14d68
                                    • Instruction Fuzzy Hash: 32119A74601328ABDB25EB24CC82FE8B378EB45710F5045D4A318AA0E0DB709E81CF84
                                    Function 039AE1D0 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 98db22a83fbc68adc844c4fd4b55735fff79e1ee2a5172f82697fb3b9bcede5c
                                    • Instruction ID: 32744a6c034f8e314c12eecdb06c6a2a592f3f28c9ba9a8e525625e6e840135e
                                    • Opcode Fuzzy Hash: 98db22a83fbc68adc844c4fd4b55735fff79e1ee2a5172f82697fb3b9bcede5c
                                    • Instruction Fuzzy Hash: 03118B36641740EFCB15EF18C990F16BBB8FF88B84F240065ED059F6A1C235ED01CA90
                                    Function 0393208A Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                    • Instruction ID: 5f627dd4057bfb76f98ab3ebdcf343f1e6f8aaac2a62b5f9e061efd2aee9eaff
                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                    • Instruction Fuzzy Hash: 080124776002108BDF10EB29E880BA6B76EBFC5740F1958A9ED868F245EA71C881C790
                                    Function 039B6050 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6d484856883a2fd7af6937cdd2f9f6b55ecbe9d6d7f6f7c4c349cac3d0d2aa0a
                                    • Instruction ID: 7e460499404d8d9c825035f994f5349f06ba4905cc74c2f1a45ee9db995d8163
                                    • Opcode Fuzzy Hash: 6d484856883a2fd7af6937cdd2f9f6b55ecbe9d6d7f6f7c4c349cac3d0d2aa0a
                                    • Instruction Fuzzy Hash: 5C111777900119ABCB11DB95CD84DEFBB7CEF48254F044166A906A7210EA34AA15CBA0
                                    Function 039C6500 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27533ad84132dabc89981ac42aa7bf063a4391bd8110b4a4adc875c5bb59e1dd
                                    • Instruction ID: ecf22a3f3a5902a38e410599b375dce1c00101248591f872d2cdc18fb8015513
                                    • Opcode Fuzzy Hash: 27533ad84132dabc89981ac42aa7bf063a4391bd8110b4a4adc875c5bb59e1dd
                                    • Instruction Fuzzy Hash: 0711A1366541859FC710CF58D810BA6FBB9FB9A354F1C8159E8488B316D732E881CBA1
                                    Function 039DEA60 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16d03782280cd80322ed21b3454edc3c54cede8a4eb07e41fac4cecebb8033f1
                                    • Instruction ID: 08365e6de34d829b49bde05e291f78e840152be6a3954460dd776aa37523cc66
                                    • Opcode Fuzzy Hash: 16d03782280cd80322ed21b3454edc3c54cede8a4eb07e41fac4cecebb8033f1
                                    • Instruction Fuzzy Hash: 1701D4399402129BDB31EF258441D76BBADFF82690B48C86EF5445F250CB30DC41CBA1
                                    Function 039BC810 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fcc3a1c97941d5f1d6cba033393b7891dd1aa692a5d391f40cbc6900a5ad3e16
                                    • Instruction ID: e75f51c174400ee54c213ebb46f02a4a0eb9c0f6c933c59485eb046dbdf242c8
                                    • Opcode Fuzzy Hash: fcc3a1c97941d5f1d6cba033393b7891dd1aa692a5d391f40cbc6900a5ad3e16
                                    • Instruction Fuzzy Hash: 3711E8B5A002099BCB04DFA9D581AAEB7F8FF58240F14406AA905EB351D674EA018BA4
                                    Function 039720F0 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a70eb35f1f28ae96509b28cdfc8c910985ce2ea9abf13fbbfb4fcd1460a7e36b
                                    • Instruction ID: 1b44f1326ce54fe1485ee9d8bbb5aa9fcc2a8db87c7e35e20c946eb595e79ee5
                                    • Opcode Fuzzy Hash: a70eb35f1f28ae96509b28cdfc8c910985ce2ea9abf13fbbfb4fcd1460a7e36b
                                    • Instruction Fuzzy Hash: B6116935A0020CEBDB05EFA9C851EAF7BB9FB84240F004499E9019B290DA35EE11CB90
                                    Function 0392C020 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                    • Instruction ID: cd51825690a3115a448a9197604cea0e31512a9f726a6b005c474f9edaaee95f
                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                    • Instruction Fuzzy Hash: 4E01D836100B449FDF22EB66D940EABB7EDFFC5694F08481AA9468B584DE70F441CB50
                                    Function 0396E5CF Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 398c836a475742942d652e9f924f37753c0c8807f3757986151c43f092e7380e
                                    • Instruction ID: 8fab0543f38f850cc17ecabb78b3e0e846ca59210b80ef55d9331f13733f7682
                                    • Opcode Fuzzy Hash: 398c836a475742942d652e9f924f37753c0c8807f3757986151c43f092e7380e
                                    • Instruction Fuzzy Hash: 81018F76201A14BFC711FB7DCD84E57BBACFB856A0B040A26B9098B661DB64EC11C6E0
                                    Function 039C69C0 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7a78bf8dcedec1cacd60b493773e8c16e3da80bd3031867df0ea558d9cce8308
                                    • Instruction ID: b8b595dd4654d9eff698f4378cb2a881bbfccde55d39fa6d615b5737e20eb6c7
                                    • Opcode Fuzzy Hash: 7a78bf8dcedec1cacd60b493773e8c16e3da80bd3031867df0ea558d9cce8308
                                    • Instruction Fuzzy Hash: 2F01D836324341DBD320DF6988889A6F7ACEF84660F15452DE8598B1C0E7309912C7D2
                                    Function 039BC460 Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 63f4c5491aa808f5fa4efe7d2600e8d4b17977305854398768cbfa15a1d663d6
                                    • Instruction ID: 6223491c850a793fb928bf3a0dcf6d9443fc8662da29e6e6c0773194074d57eb
                                    • Opcode Fuzzy Hash: 63f4c5491aa808f5fa4efe7d2600e8d4b17977305854398768cbfa15a1d663d6
                                    • Instruction Fuzzy Hash: 28112175A0120CEBDB15EF65C945EEEBBBAEB88350F004059F80297390DA35DE11DF90
                                    Function 03A04A80 Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                    • Instruction ID: d38dcb5dd8b95caf3206e599e67789e3ead5464f2ac31bf31c97468b30ee1098
                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                    • Instruction Fuzzy Hash: ED01DD361007019FDB21DB5AE841F57B7E5FBC9700F08441EE6438B690DA70F850CB54
                                    Function 039BCA11 Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7df2fda4110d13c1b27e4f4feb3dc2aef694912c79287e12fa8f8e20c3101d11
                                    • Instruction ID: 807520b28aa5d3a56db85723a967b8b26485ac5f7edce7bf4af7f8909d743dd0
                                    • Opcode Fuzzy Hash: 7df2fda4110d13c1b27e4f4feb3dc2aef694912c79287e12fa8f8e20c3101d11
                                    • Instruction Fuzzy Hash: 90117C75604304DFC700DF69C44199BBBF8EF89350F00451AB958D7390E630E900CB92
                                    Function 039BC97C Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26f4b2bb9d76c3eca9205bca85d0410028c7d8064402811cbc3eba64a55bf1ba
                                    • Instruction ID: 9609fe628dcc9a634f25277c5ad5835c039cdde26717f46ab46fa8043536e23b
                                    • Opcode Fuzzy Hash: 26f4b2bb9d76c3eca9205bca85d0410028c7d8064402811cbc3eba64a55bf1ba
                                    • Instruction Fuzzy Hash: AA1139B56183089FC700DF69D54299BBBF8EF98750F04491AB998DB391E630E901CBA2
                                    Function 0392826B Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 30b575c3698a97e0596b7e733923ab208f21f7559c9c0cf5b5758c70f96200fb
                                    • Instruction ID: 41ece995d808935a881d8b740f533aaf972fdd66a9e6f7a1d9ae121889a2619d
                                    • Opcode Fuzzy Hash: 30b575c3698a97e0596b7e733923ab208f21f7559c9c0cf5b5758c70f96200fb
                                    • Instruction Fuzzy Hash: 8001A735704A18EFC714EB69D9149AEBBBDEF81690B1940299902AB684EE30DD01C6A1
                                    Function 0394E016 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                    • Instruction ID: cd79874095b742072335ec3b03bbb895b58d3994e610575889f305d86c98c6dc
                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                    • Instruction Fuzzy Hash: CC017872604A849FD322D71DC948F36B7ECFF85790F0D04A2E815CBAA2D768DC40C621
                                    Function 039DEB50 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 714811376033190f0ba38eaa912f6883deb09670f4e3ad413fcf9eccdbae2c3e
                                    • Instruction ID: d2316f2198b28702efd1139bcdf19893de9e9cf5ff9d432bc8cdef260f39c5e1
                                    • Opcode Fuzzy Hash: 714811376033190f0ba38eaa912f6883deb09670f4e3ad413fcf9eccdbae2c3e
                                    • Instruction Fuzzy Hash: C101F271641B11AFD731DB1AD801F16BAA8EF96B90F01482AB6459F390C6B4A8418B54
                                    Function 03932582 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7f250c090003d22e7c5524ebb53217e972ae92d14f6977a30f3a0001a2d529fa
                                    • Instruction ID: 28af0a4db097fc348c6cbbf1ff9e05c5dcf5ab1f9430e4f9ccfaed7f7490a4e1
                                    • Opcode Fuzzy Hash: 7f250c090003d22e7c5524ebb53217e972ae92d14f6977a30f3a0001a2d529fa
                                    • Instruction Fuzzy Hash: 87F0F477741B20BBC731DB96CC40F17BAADEFC5B90F054428A6059B600DA30ED01CAA0
                                    Function 0392C310 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                    • Instruction ID: 218e7acb1e3c7c952aa716f2dd4332a7981940c04b5db63fc9e0e82a80b691af
                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                    • Instruction Fuzzy Hash: 64F0FC37244F329BD732DA594880F6FAD998FC5AE4F190435E1099F20CCA649C055AD0
                                    Function 0395C073 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                    • Instruction ID: eda665dd2bbaeb3c4f6567d020627447a6aa431d38802f7bfeec17ae40d51218
                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                    • Instruction Fuzzy Hash: BFF0C2B3600610ABD324CF8DDC40E57F7EEDBC0A80F098128A905CB220EA31DD04CB90
                                    Function 03A04FE7 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 70b90bffb0c4cc58a0df840032a0b5aa7094cdcd2d98f7eab23d702af3f85393
                                    • Instruction ID: b7ecc42ba989f2d2adf7746dc4f9aa6baf15f570225a7a302211c3dd3b19659c
                                    • Opcode Fuzzy Hash: 70b90bffb0c4cc58a0df840032a0b5aa7094cdcd2d98f7eab23d702af3f85393
                                    • Instruction Fuzzy Hash: D1012175A00209AFDB00DFA9D9819EEB7B8EF49344F14405AE501E7380D674DA018BA1
                                    Function 0396CA6F Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                    • Instruction ID: ca4aafe61c22c701a1d44439e061aba5a704caeee452fc50798b177301aac738
                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                    • Instruction Fuzzy Hash: 9901F436205A849BE722D72EC805F59BFDCEF81790F0C45A1FA448F6A1D778C800C650
                                    Function 039B63C0 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                    • Instruction ID: 5f161b8a8e7cb3413a69957af3459eb43edfb122ef5f52729493bdd6cc3aa18e
                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                    • Instruction Fuzzy Hash: ECF01D7620011DBFEF019F95DD80DEFBB7EEB892D8B104125FA1196160D731DD21ABA0
                                    Function 03A061E5 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b5a3be17eea76bb82a432a404a311c9470907a60f3d3daa539a9a13c881c35b3
                                    • Instruction ID: bd4a76ca2edf73c3e3f0841921137b57265d5722328fa99a1103599d9efe845d
                                    • Opcode Fuzzy Hash: b5a3be17eea76bb82a432a404a311c9470907a60f3d3daa539a9a13c881c35b3
                                    • Instruction Fuzzy Hash: 77014F75E00259DBDB04DFA9E845AEEB7F8EF48314F14405AE501AB290D774EA01CBA5
                                    Function 039BA4B0 Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5347cde65d18d146950fda26293e21cf4096db782419d14206fd6e56605ca897
                                    • Instruction ID: d4d37952dba3372847ae8a2e27e0d8407a923a0141f90ef0afa256e3158f320f
                                    • Opcode Fuzzy Hash: 5347cde65d18d146950fda26293e21cf4096db782419d14206fd6e56605ca897
                                    • Instruction Fuzzy Hash: A2018536100209ABCF129E84D940EDE7B7AFB4C7A4F0A8101FE1866220C232DA71EB81
                                    Function 0392C0F0 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 958c1ec125c6e28c5f0c1330bce555450ac7a45a285b48435c5a95a58c230c60
                                    • Instruction ID: 66f395a96b20437855fc595abc965253b7d5daf3160dbec8b80a44da9bad5aab
                                    • Opcode Fuzzy Hash: 958c1ec125c6e28c5f0c1330bce555450ac7a45a285b48435c5a95a58c230c60
                                    • Instruction Fuzzy Hash: 58F024712047245FE310D6999C02B773ADEEBC07A0F29806AEB058F2C6EA70EC018B94
                                    Function 0396656A Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8f027e65cc1521a66bfa630f9aae2890f7159410711d63e7b5ac6c86eb5098d1
                                    • Instruction ID: cc48642033d057281af2089a28a6b968cee6cfd47c9df673b8ca6798532eddf5
                                    • Opcode Fuzzy Hash: 8f027e65cc1521a66bfa630f9aae2890f7159410711d63e7b5ac6c86eb5098d1
                                    • Instruction Fuzzy Hash: BC01A474601B819BE322D73DCD59F2577ACFB81B80F8C0694B9018FAD5DBA8D401C510
                                    Function 039D437C Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                    • Instruction ID: fa207ecfbcfb893ececf2bfb93fa4873d259d55be1a118239663e5ca48f99916
                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                    • Instruction Fuzzy Hash: 4BF0E935381B1247D736EA6F8521B2FE25D9FC0980B4D852C9801CFE40DF30D8008780
                                    Function 039BC89D Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5f19784949dd713cd8482d996f276f9846457875d9f0b098a863906bc25bbc77
                                    • Instruction ID: 941d6b4897ae104b80fc3ebe01d64f34185fe17a77b2bfc05f148366f1990f67
                                    • Opcode Fuzzy Hash: 5f19784949dd713cd8482d996f276f9846457875d9f0b098a863906bc25bbc77
                                    • Instruction Fuzzy Hash: 06F0C2756053049FC310EF29C942E1BB7E8FF88700F44465AB898DB3D0E634E901CB96
                                    Function 039BE872 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                    • Instruction ID: 2f58c6cd78df3915d16d53a25f7d64edea8312e33029dd8c919c0fd7380ad31f
                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                    • Instruction Fuzzy Hash: 7CF05E36B11A119BD321DA59ED80F96B3BCAFC5AA0F1D0565A9049B260C760EC0187D0
                                    Function 03960854 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                    • Instruction ID: 85f45b52dea1c7dc218e35936edfc11088c0d211bddf9cf1857e03004b8dad03
                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                    • Instruction Fuzzy Hash: 3CF02E72600204AFE324DB25CC00F86B3E9FF98340F1480789844CB2A0FAB1EE00C694
                                    Function 039BC912 Relevance: .0, Instructions: 34COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4214c498909015a19abb994301b5c5a56e0f7054222baa450bca1816c0bdaf73
                                    • Instruction ID: edc028bba9741f44168246f939c10f4cdda252e6a8e8c047815d18b55c3b3437
                                    • Opcode Fuzzy Hash: 4214c498909015a19abb994301b5c5a56e0f7054222baa450bca1816c0bdaf73
                                    • Instruction Fuzzy Hash: 68F06274A01349DFDB04EF69C555EAEB7B8EF58300F008056B855EB385DA74EE01CB91
                                    Function 039347FB Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 17013b3d5f69a88417713f5641725e2533570c7c20174fd5fe827c091dc67b26
                                    • Instruction ID: 408a777a8ce0456cb8d122c880ca431994f8ac2aca0256ad89ce00d64c1adbf3
                                    • Opcode Fuzzy Hash: 17013b3d5f69a88417713f5641725e2533570c7c20174fd5fe827c091dc67b26
                                    • Instruction Fuzzy Hash: 76F0BEB99127E09FD732CB6BC554B62B7ECDB027A0F0E89AAD48987641C724D881CE50
                                    Function 039F0115 Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efe89ccf2a527b579ea28018f8e680c2563bfa667b4bff602584b026372525aa
                                    • Instruction ID: e23366de73b139a81b22d321d1a129d08562371107384da97f8b989d32e7b8a1
                                    • Opcode Fuzzy Hash: efe89ccf2a527b579ea28018f8e680c2563bfa667b4bff602584b026372525aa
                                    • Instruction Fuzzy Hash: E4F0273A5177C04ECF32FB2C64502A2AF5CD792150F1D1485C5B15B306C9B88483C720
                                    Function 03972619 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                    • Instruction ID: e9902991ed465e229eea907d5437fea44e78df30475c8728216cbc7f12eec7eb
                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                    • Instruction Fuzzy Hash: 8DE092723106006BD721EF59CC84F47776EEFC2B10F05047AB5045E291CAE29C0982A4
                                    Function 0396C5ED Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66aa1c99dc841a3a9269a6b1890c98e38c19c9d19e2b72a38e7d498be6378661
                                    • Instruction ID: e03c7ba1ca2c97254629a4da8495115e04d0805596415eb056523017db676b7a
                                    • Opcode Fuzzy Hash: 66aa1c99dc841a3a9269a6b1890c98e38c19c9d19e2b72a38e7d498be6378661
                                    • Instruction Fuzzy Hash: D9F027755136569FC332F718C148B55B3DCAB447E1F0CA966F48AC7952C364C880CE58
                                    Function 0396CF80 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                    • Instruction ID: 13549990ca28d134cb92bb441dfcb8250e9ba834e424de7503fb1b0b0f827caf
                                    • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                    • Instruction Fuzzy Hash: 77F0A776204606EFDB11EB5AE840E5EFFAEEFC5750F144052F9544B350D731A861CB50
                                    Function 039C6030 Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                    • Instruction ID: 8db0ed893a21d1d1dee0b480cf2eac1ec42767887459bdf526e874c4b4a1f911
                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                    • Instruction Fuzzy Hash: CAF06572114244EFE320CF46D944F62B7ECEB45364F4AC469E609AB560D379EC40CBA5
                                    Function 03930710 Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                    • Instruction ID: f3251e9eeefcfa514e43a1bb1bd926c10378e80b6a92d437d48706a2b610cbd0
                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                    • Instruction Fuzzy Hash: 5DF0ED7E6043449BDB16DF1AC490AA57BA8EB823A0B0404D4E8438B300EB31EA82CB80
                                    Function 039649D0 Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                    • Instruction ID: b2135e7786e8b92fde007928f532f5ed4a10171b87caf5435087339c33050c19
                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                    • Instruction Fuzzy Hash: 46E0D832245244BBE3219ED68C02F6677A9DBC1BE0F160429E1488B550DB70DC40C7EC
                                    Function 039D678E Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                    • Instruction ID: fd3ba26cf7ebf8eb2f6ecc30be55209542e35ce96efe4e1d58081a10bad41cc9
                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                    • Instruction Fuzzy Hash: 78E04F72A41218BBDB21DB998D06F9BBABCDB94EA0F564055B601EB1A0D570EE00D690
                                    Function 039325E0 Relevance: .0, Instructions: 23COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 09f1f7f373721dce10ae56f9065cfce9581a9edc58e9dfcc9bf990798753ef45
                                    • Instruction ID: aeae0df4ed1a521583c9c9c9e6d739585417bc3882b958e230ecbb9edb70cb46
                                    • Opcode Fuzzy Hash: 09f1f7f373721dce10ae56f9065cfce9581a9edc58e9dfcc9bf990798753ef45
                                    • Instruction Fuzzy Hash: BFE09276110B549BC321FB29DD01F9A779AEF91765F014525F1555B1A0CA34AC10C784
                                    Function 039B4000 Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                    • Instruction ID: 0c03503b5f8818aba674444ffbafe60da1837f5b7fcc3db2492c2b6467e2a966
                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                    • Instruction Fuzzy Hash: BDE0C2343003058FD715CF1AC140BA2B7BABFD5A50F28C068A8488F206EB32E842DB40
                                    Function 0396CA38 Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20806aa3fa18302ac1df630beb3d84c228e25fba4f44fc3db9008dd10aa62a64
                                    • Instruction ID: d7d32834f010fd43f10ebd89f92a97ed6d74eb732ac1ed795d642aea94db2c05
                                    • Opcode Fuzzy Hash: 20806aa3fa18302ac1df630beb3d84c228e25fba4f44fc3db9008dd10aa62a64
                                    • Instruction Fuzzy Hash: 58D02B324821207ADB74F5597C04FA33A5DDB80760F0248A1F50896020D614DC819BC4
                                    Function 0392823B Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                    • Instruction ID: ebbf5d91f2a2e73ef3d80ab9f1a4ef62033345ef74b4bd4155e70748a4fbc11c
                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                    • Instruction Fuzzy Hash: F7E08C36119A20EEDB31EF21DC04F527AA9FB84B90F144D69E0820A4A88770A895DA44
                                    Function 03932050 Relevance: .0, Instructions: 20COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3179c9eee1ff1b3d4f08a25af1d1738899712368b355a203d1ddd94119b29959
                                    • Instruction ID: 54ddf7298e1fc3cdf59d2b5b80c11e2bcd9f51df5d0bd50bd12d6e6e72a2b6e8
                                    • Opcode Fuzzy Hash: 3179c9eee1ff1b3d4f08a25af1d1738899712368b355a203d1ddd94119b29959
                                    • Instruction Fuzzy Hash: D4E0C2722006506BC321FB6DDD40F5A739EEFE5760F014221F5508B6A0CA64AC01C794
                                    Function 03968A90 Relevance: .0, Instructions: 20COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                    • Instruction ID: 344f679e77d91a11227702bdec50f8bd3f668efc14f9a7390f0a1a40bc514e67
                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                    • Instruction Fuzzy Hash: C3E08633115A1487C728DE18D915B72B7A8EF45720F09463EAA5347780C534E544C794
                                    Function 03986AA4 Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                    • Instruction ID: 1a395c9a17b448db10fe0acb8a94afe414fbd7f111902e05e261b99c23858e1d
                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                    • Instruction Fuzzy Hash: C0D05E3A611A50EFC332AF1BEA00D53FBF9FBC4A51709062EA54587920C670A806CBA0
                                    Function 0396E59C Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                    • Instruction ID: 25f5fc3e2a5c55f655a3775089b9443b2c8c7d0f27665d63a8988a2e8368f32b
                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                    • Instruction Fuzzy Hash: 29D0A932214A20ABD772EA2CFC00FC333ECBB88761F0A0599B409CB050C360AC81CA84
                                    Function 039AE908 Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                    • Instruction ID: fdce036dd9e06ea7542ccf5cd3c23d2c64726006081853bb387179bfc9ea26b8
                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                    • Instruction Fuzzy Hash: C8E0EC7AE54B849BCF56EF59C640F5AB7B9FBC5B40F190158A4485F660C624AD00CB80
                                    Function 0392A0E3 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                    • Instruction ID: a07b280a826ff690dfc3d69b2b3a991636511f68b2ec40ce240425100f63d04a
                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                    • Instruction Fuzzy Hash: C6D0223332743093CB28E6606800F63AD099BC1AA0F0A002C380AD3804C8048C42C2E0
                                    Function 0396CA24 Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1bce0d257f194835d42e0ca5ca30f94f56317e6e3733bcb89c3abaf984ad6a1c
                                    • Instruction ID: cec596899d7ad909567705d2985e087e49f177a0503e8abf950c63670a05213c
                                    • Opcode Fuzzy Hash: 1bce0d257f194835d42e0ca5ca30f94f56317e6e3733bcb89c3abaf984ad6a1c
                                    • Instruction Fuzzy Hash: 86D0A73461A501CBDF2ADF18C910E3E76B8EB10680F440168FA4091420E328DC01CB40
                                    Function 0396A830 Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                    • Instruction ID: 3e5c65b02850ab3accf136010b5f6d8b104363e0c4c5fbe02d28195677c7d057
                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                    • Instruction Fuzzy Hash: BDD0123B1E064CBBCB11EF65DC41F957BA9E794BA0F448120B9048B5A0C63AE960D584
                                    Function 039402A0 Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                    • Instruction ID: 01c211389d8f15884f74310b98c195c738ac434eb5b5d3ef4d76e55a59295cb9
                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                    • Instruction Fuzzy Hash: CBD0C935212E80CFD61BCF0DC5A4F16B3B8BB44B84F8508D0E501CBB61E66CD940CE00
                                    Function 0396C700 Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                    • Instruction ID: e848e582d9469e0aefd3349fa095945b3c330b908d49f0d93ee56c8967e4f165
                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                    • Instruction Fuzzy Hash: B6C0123A2A0648AFC712EAA8CD41F027BA9EB98B40F004021F6048B670C631E820EA84
                                    Function 03950310 Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                    • Instruction ID: 5d6c1f69cbfbbc757aff9da9ca9eef3d5686953f7d311a94a4480a3eed9e03b0
                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                    • Instruction Fuzzy Hash: B9D01236100248EFCB01DF41C890D9A772AFBD8710F148019FD190B7108A31ED62DB50
                                    Function 03930750 Relevance: .0, Instructions: 9COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                    • Instruction ID: abb8464132584bf38cdc052815575c69843b603ac24b0285d6af11df8a6ec665
                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                    • Instruction Fuzzy Hash: D7C0487AB01A418FCF15EB2AD2E4F5977E8FB84780F1908D0E805CBB21E624E811CA10
                                    Function 03974340 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bfef6a617e30c74efdf163aec9f0e75d522a20afc1ebd8e429cf0f9263a7921e
                                    • Instruction ID: 64b7a05ba77a728ed28f30ba41ad2ce6a5c0d11ee0d3640f1e89f97a4d881790
                                    • Opcode Fuzzy Hash: bfef6a617e30c74efdf163aec9f0e75d522a20afc1ebd8e429cf0f9263a7921e
                                    • Instruction Fuzzy Hash: DF90023160990412A140B25848C8586404A97E0301B95C011E0424558C8B148A565371
                                    Function 03974650 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b8830771cf12cd593b68d297b98250bfc0fa31c753ad32944f227c0832d4912
                                    • Instruction ID: 9540c71a787de461ea2939e32eea642f0bcb5b8bac4979f14342257bc86ed131
                                    • Opcode Fuzzy Hash: 2b8830771cf12cd593b68d297b98250bfc0fa31c753ad32944f227c0832d4912
                                    • Instruction Fuzzy Hash: B9900261605604425140B2584848446604A97E13013D5C115A0554564C871889559279
                                    Function 03972B80 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f3b38d14f3dd4c676331c991373039750496e47e105fa848cae25fa2321b6840
                                    • Instruction ID: 23ff9a585550f743914a312470370a883b788f404a20f49a9a0357902cc0ef2c
                                    • Opcode Fuzzy Hash: f3b38d14f3dd4c676331c991373039750496e47e105fa848cae25fa2321b6840
                                    • Instruction Fuzzy Hash: C090023120550C02E104B25848486C6004A87D0301F95C011A6024659E976589917131
                                    Function 03972BA0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87772aebe367d34bbfb5d85d2b3deba5297fa3b6d8eae62fbdca72811ae51d96
                                    • Instruction ID: 4aed961e866bfdcc8932dd2bd1d1486fd2c76bd970af9b5f01fc1165775f6590
                                    • Opcode Fuzzy Hash: 87772aebe367d34bbfb5d85d2b3deba5297fa3b6d8eae62fbdca72811ae51d96
                                    • Instruction Fuzzy Hash: DF90023160950C02E150B2584458786004A87D0301F95C011A0024658D87558B5576B1
                                    Function 03972BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 004eec93f0a8694125f4a90d0dfc5e7b2acfdcb5a7a40fbee1d355632141ed17
                                    • Instruction ID: f62c5b07a0b88018d2111741179f124ba8bf904865550aba03347b3bea8e6e37
                                    • Opcode Fuzzy Hash: 004eec93f0a8694125f4a90d0dfc5e7b2acfdcb5a7a40fbee1d355632141ed17
                                    • Instruction Fuzzy Hash: 2A90023120550C02E180B258444868A004A87D1301FD5C015A0025658DCB158B5977B1
                                    Function 03972BE0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b79d267fba61ed2a3a76de1f06848c9f53b471c0c169da7d9208ba7fd67cb507
                                    • Instruction ID: e1a216cad5e38ab07a3c9d61ee077d09f00b7cbed70b275f4b0f60c9f9528a28
                                    • Opcode Fuzzy Hash: b79d267fba61ed2a3a76de1f06848c9f53b471c0c169da7d9208ba7fd67cb507
                                    • Instruction Fuzzy Hash: 9990023120954C42E140B2584448A86005A87D0305F95C011A0064698D97258E55B671
                                    Function 03972AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b649e651de760a17872288a388c65dcd3ff6e26605205e570c3b27d04260f39
                                    • Instruction ID: f38ddb1620cd1e010656f5b98f54c3ce3c1a9764a54e18cbbac2af6eaa2bc4a1
                                    • Opcode Fuzzy Hash: 5b649e651de760a17872288a388c65dcd3ff6e26605205e570c3b27d04260f39
                                    • Instruction Fuzzy Hash: AF9002A1205644925500F3588448B4A454A87E0301B95C016E1054564CC62589519135
                                    Function 03972AD0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d668cf09a035db5c8a72c2c82886d4b87f0084ae7a3bba286baf092e783bab1c
                                    • Instruction ID: adb99fc8f45aa57eedfb9f0a92d1a8b293d3144c5d1b13d7b4402bf35909f2fa
                                    • Opcode Fuzzy Hash: d668cf09a035db5c8a72c2c82886d4b87f0084ae7a3bba286baf092e783bab1c
                                    • Instruction Fuzzy Hash: FC900435315504031105F75C074C54700CFC7D53513D5C031F1015554CD731CD715131
                                    Function 03972AF0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1572b119a3e948c671138da02f7b798fbc9d939a6271445009605c11f87eb383
                                    • Instruction ID: b5dd1b552863b63bd8a2021f343ce642ee1ba1a4ef709c1d1fa53dfb84de5e07
                                    • Opcode Fuzzy Hash: 1572b119a3e948c671138da02f7b798fbc9d939a6271445009605c11f87eb383
                                    • Instruction Fuzzy Hash: 20900225225504021145F658064854B048A97D63513D5C015F1416594CC72189655331
                                    Function 03972F90 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4a9bb2577faaed95eec2b2baa7d8a1a72b81f44927d5decfc76f4030dbb85f4
                                    • Instruction ID: 1d7aaee6baea2d6fa79368ec984e30458b99bb5373c78ceb3e03c78112115ce4
                                    • Opcode Fuzzy Hash: d4a9bb2577faaed95eec2b2baa7d8a1a72b81f44927d5decfc76f4030dbb85f4
                                    • Instruction Fuzzy Hash: A690023120590802E100B258485874B004A87D0302F95C011A1164559D872589516571
                                    Function 03972FB0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6a714b10256ad1cb3bd39a09f90b54136ec5d832cc5b26079ce3570a02a52181
                                    • Instruction ID: 61efd2fcec38f6e5a69867799fe8051f41270a600935306817272fa88ed72a75
                                    • Opcode Fuzzy Hash: 6a714b10256ad1cb3bd39a09f90b54136ec5d832cc5b26079ce3570a02a52181
                                    • Instruction Fuzzy Hash: F0900221605504425140B2688888946404AABE1311795C121A0998554D865989655675
                                    Function 03972FA0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f103b3b10484ffebfa8415f1e6ae97ce4bd95df7be0ea82eda43729bdafcce74
                                    • Instruction ID: 4a6557e3d307ab1fbb07f4d19b8496ed071b6fa0e4ff9f96fa79da1d0d1f5e8e
                                    • Opcode Fuzzy Hash: f103b3b10484ffebfa8415f1e6ae97ce4bd95df7be0ea82eda43729bdafcce74
                                    • Instruction Fuzzy Hash: C990023120590802E100B258484C787004A87D0302F95C011A5164559E8765C9916531
                                    Function 03972FE0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8b5718eaede12823789ac2ad9214ad8a8b6e6fece62521c39a340a1235d8e556
                                    • Instruction ID: 7f775aff76a974c5ffde33df1fd0baf94527462dcb3243b75e412f37ace4729b
                                    • Opcode Fuzzy Hash: 8b5718eaede12823789ac2ad9214ad8a8b6e6fece62521c39a340a1235d8e556
                                    • Instruction Fuzzy Hash: 52900221215D0442E200B6684C58B47004A87D0303F95C115A0154558CCA1589615531
                                    Function 03972F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 95f4d298b0b30621c673223f8a7c149b993cd9f54851ee77aa459d68a21b5c68
                                    • Instruction ID: e325b7481f5f28cd7f25a85e73b7d09a766a080c03632fafba9ff67dfbd2794b
                                    • Opcode Fuzzy Hash: 95f4d298b0b30621c673223f8a7c149b993cd9f54851ee77aa459d68a21b5c68
                                    • Instruction Fuzzy Hash: D590026134550842E100B2584458B46004AC7E1301F95C015E1064558D8719CD526136
                                    Function 03972F60 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d14cf0436bedc986c8f4306ecd22892478c3a4f938647908e7ee3a06e1446ff
                                    • Instruction ID: fdfc167135ec0c65a80753b5d51a3e89dbbc0e5ac64ba77d59b387e7d60049d2
                                    • Opcode Fuzzy Hash: 9d14cf0436bedc986c8f4306ecd22892478c3a4f938647908e7ee3a06e1446ff
                                    • Instruction Fuzzy Hash: F690026121550442E104B2584448746008A87E1301F95C012A2154558CC6298D615135
                                    Function 03972E80 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8f94f65f5ad6dbc95e8d5e3c14445ead13952b058935fa9d4a1eaef0da3a9f40
                                    • Instruction ID: 4a4b25494f7f265dcd42d4e544c2324c28b43d0e3c6291cc2cbd5ccb531573ad
                                    • Opcode Fuzzy Hash: 8f94f65f5ad6dbc95e8d5e3c14445ead13952b058935fa9d4a1eaef0da3a9f40
                                    • Instruction Fuzzy Hash: 1690022160550902E101B2584448656004F87D0341FD5C022A1024559ECB258A92A131
                                    Function 03972EA0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b43fefa9a9d982cb46cb6af2f46b57648f8464011e6c2baeaff2b24a65d687c
                                    • Instruction ID: e915cbb142451198712edc535771688234b22f00448c8fd5dcbf504aeeccf0e9
                                    • Opcode Fuzzy Hash: 6b43fefa9a9d982cb46cb6af2f46b57648f8464011e6c2baeaff2b24a65d687c
                                    • Instruction Fuzzy Hash: 4390027120550802E140B2584448786004A87D0301F95C011A5064558E87598ED56675
                                    Function 03972EE0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 06a9907f2e34dca8e9f7c64ce91ecb76a955f8e35f7d70fafbc17d63ba2e0690
                                    • Instruction ID: 4c07a10d56c986793d01283839c6580f6629ae05d173fd9525910b980de0b80a
                                    • Opcode Fuzzy Hash: 06a9907f2e34dca8e9f7c64ce91ecb76a955f8e35f7d70fafbc17d63ba2e0690
                                    • Instruction Fuzzy Hash: 2190026120590803E140B6584848647004A87D0302F95C011A2064559E8B298D516135
                                    Function 03972E30 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c0555722962e88ee2550b432fa0aead8a9ddb5f8e40e4a476d07ec4bd5aea1a
                                    • Instruction ID: 6fd2fec7f8da068cf90ae630f0cac44629455367e7f410f0ed058367a7de201e
                                    • Opcode Fuzzy Hash: 8c0555722962e88ee2550b432fa0aead8a9ddb5f8e40e4a476d07ec4bd5aea1a
                                    • Instruction Fuzzy Hash: C790022130550802E102B2584458646004EC7D1345FD5C012E1424559D87258A53A132
                                    Function 03972DB0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4d7cf051e3d2e9cb1bbde7456ce81eb693e306769615e4f033c0ea669dda008
                                    • Instruction ID: 6e4c8f9c57da3bd3043566aa5cd2ae018c837df944db526e9aa2bf045f5a2ab4
                                    • Opcode Fuzzy Hash: d4d7cf051e3d2e9cb1bbde7456ce81eb693e306769615e4f033c0ea669dda008
                                    • Instruction Fuzzy Hash: F390023124550802E141B2584448646004E97D0341FD5C012A0424558E87558B56AA71
                                    Function 03972DD0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b5d7871dc149f7014d8cc32d1dd3dea09056bb1c0f2118ce3329cfa7eaee9d79
                                    • Instruction ID: 0e63b70ddc8304ee86de8dc42e0c5c4e0210e5b7fc723ae4c1046da3827757be
                                    • Opcode Fuzzy Hash: b5d7871dc149f7014d8cc32d1dd3dea09056bb1c0f2118ce3329cfa7eaee9d79
                                    • Instruction Fuzzy Hash: 21900221246545526545F2584448547404B97E03417D5C012A1414954C86269956D631
                                    Function 03972D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d82ea3ee4836084abaf96c62bd2344389e848f6a4b89052e020f19c48b39503d
                                    • Instruction ID: 9d57fe21c6276fe9e1bb480e8660b23cd767c6610d47b21ca159a3acb5d6a896
                                    • Opcode Fuzzy Hash: d82ea3ee4836084abaf96c62bd2344389e848f6a4b89052e020f19c48b39503d
                                    • Instruction Fuzzy Hash: 6690022921750402E180B258544C64A004A87D1302FD5D415A001555CCCA1589695331
                                    Function 03972D00 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 58e79fc85f082d016413e8c1746fc011432d3206fb1443d7a42a9cac8bdd8497
                                    • Instruction ID: 0085f2e80dc21cde18468b645d15c10e102525686564e9e724d05db75cd09fae
                                    • Opcode Fuzzy Hash: 58e79fc85f082d016413e8c1746fc011432d3206fb1443d7a42a9cac8bdd8497
                                    • Instruction Fuzzy Hash: 4590022120954842E100B658544CA46004A87D0305F95D011A1064599DC7358951A131
                                    Function 03972D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c575f69e45e99ab4aa5e4126336549423480d846eb7889786f1c6345e9e9af64
                                    • Instruction ID: 03641bb45ee6304e0d4e7be104382a81604ee7442b0557b84fb4e8d065a07af5
                                    • Opcode Fuzzy Hash: c575f69e45e99ab4aa5e4126336549423480d846eb7889786f1c6345e9e9af64
                                    • Instruction Fuzzy Hash: 7890022130550403E140B258545C646404AD7E1301F95D011E0414558CDA1589565232
                                    Function 03972CA0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4455f6c8eb46c980e967e384b032d25aa2a056074ee2c1bfd9e75059d752386
                                    • Instruction ID: 0c7c13ae56aebe7c0bc3ea61432f33c2985132e94cb159e2f3bb3b622aa604a3
                                    • Opcode Fuzzy Hash: f4455f6c8eb46c980e967e384b032d25aa2a056074ee2c1bfd9e75059d752386
                                    • Instruction Fuzzy Hash: D690023120550802E100B698544C686004A87E0301F95D011A5024559EC76589916131
                                    Function 03972CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b768adaacb61e6ee12988c8011c9bc131e56138377cca3bc86fc0297a99fb495
                                    • Instruction ID: 81ba0678d2ba8e28d51f5bc329386b975728f9ed76aa8e86532cae10508896f2
                                    • Opcode Fuzzy Hash: b768adaacb61e6ee12988c8011c9bc131e56138377cca3bc86fc0297a99fb495
                                    • Instruction Fuzzy Hash: 1090022160950802E140B258545C746005A87D0301F95D011A0024558DC7598B5566B1
                                    Function 03972CF0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1bdcec2d9d3888909aea586d082ca4a02e176df22da3df5e606ad8e60d79f161
                                    • Instruction ID: 0b92f4c1778a9a71eec373cf420f916ac88f02cc89879f2f0b371ab5b423740c
                                    • Opcode Fuzzy Hash: 1bdcec2d9d3888909aea586d082ca4a02e176df22da3df5e606ad8e60d79f161
                                    • Instruction Fuzzy Hash: 9790023120550803E100B258554C747004A87D0301F95D411A042455CDD75689516131
                                    Function 03972C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2d6d3ebc716c01ff8dd22534e6ee3fd6154e69be3fe1ea45ae176348ab4df8b
                                    • Instruction ID: e7cb9acc1aac29f0d67702531b45ef01e4d6291c9aeab829bca3b13e30d5e72c
                                    • Opcode Fuzzy Hash: b2d6d3ebc716c01ff8dd22534e6ee3fd6154e69be3fe1ea45ae176348ab4df8b
                                    • Instruction Fuzzy Hash: 9590023120558C02E110B258844878A004A87D0301F99C411A442465CD879589917131
                                    Function 03972C60 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 14139a6257cac475446177e43794c411a29768ecddc1199d4e27bee11567b228
                                    • Instruction ID: f52669277373218222791313e56ca262f79b81aad2e2bebcd5bb93cb05d2bb03
                                    • Opcode Fuzzy Hash: 14139a6257cac475446177e43794c411a29768ecddc1199d4e27bee11567b228
                                    • Instruction Fuzzy Hash: C390023120550C42E100B2584448B86004A87E0301F95C016A0124658D8715C9517531
                                    Function 03973090 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 81dcf9648b2073fa5004d1afc2f6b01861d6d24c6baea9284a0fea86c14da103
                                    • Instruction ID: 20cb59a19c79fe41f465ce284e7c01eef368949a6cbe34f1fe1453aa8a9b28e7
                                    • Opcode Fuzzy Hash: 81dcf9648b2073fa5004d1afc2f6b01861d6d24c6baea9284a0fea86c14da103
                                    • Instruction Fuzzy Hash: A090022124550C02E140B2588458747004BC7D0701F95C011A0024558D87168A6566B1
                                    Function 03973010 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a7be15a1047cd50b49450e12ca60464ac1b9cee26f9b7b73ff1dfc52cbf4da0c
                                    • Instruction ID: 2c504cf418794a66b95a8d91223d208fdf18cec99f486a84891055a16d70d8a6
                                    • Opcode Fuzzy Hash: a7be15a1047cd50b49450e12ca60464ac1b9cee26f9b7b73ff1dfc52cbf4da0c
                                    • Instruction Fuzzy Hash: 7590022120594842E140B3584848B4F414A87E1302FD5C019A4156558CCA1589555731
                                    Function 039739B0 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 02ea8b1f0b6c40a4473c0c9bd74c65efbc07c159fdce495d95fc8134eade0872
                                    • Instruction ID: 38cab9ec12d30770bc0dad6bb3505dc0e1f79e4c4abef54ec5e443f2dcda5ef4
                                    • Opcode Fuzzy Hash: 02ea8b1f0b6c40a4473c0c9bd74c65efbc07c159fdce495d95fc8134eade0872
                                    • Instruction Fuzzy Hash: 4290022124955502E150B25C4448656404AA7E0301F95C021A0814598D865589556231
                                    Function 03973D10 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 01e31e4cf3e37e1f295919853faa3bdf12a8b64f9824f548990f53a1556c7b42
                                    • Instruction ID: 69754b87246a922fcf14288c22fa446c66c1486a9f54ebe868cb14f8a83979e6
                                    • Opcode Fuzzy Hash: 01e31e4cf3e37e1f295919853faa3bdf12a8b64f9824f548990f53a1556c7b42
                                    • Instruction Fuzzy Hash: 4990023120650542A540B3585848A8E414A87E1302BD5D415A0015558CCA1489615231
                                    Function 03973D70 Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 324624ff5ee28ee2d711c434be8a8b8d4ccef8edb990060d91518f307b70d7d1
                                    • Instruction ID: 6aea1bf85b4f8c4c1aa26b467e14fd5f380ac8e045daf46e1f4dc6e04d2127ec
                                    • Opcode Fuzzy Hash: 324624ff5ee28ee2d711c434be8a8b8d4ccef8edb990060d91518f307b70d7d1
                                    • Instruction Fuzzy Hash: 2290023520550802E510B2585848686008B87D0301F95D411A042455CD875489A1A131
                                    Function 03972C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                    • Instruction ID: 1d68b5376d7de6f81baa80a78bf1609d016fbde4c99cb6f5da5139f3d6544bb7
                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                    • Instruction Fuzzy Hash:
                                    Function 03972890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                    • API String ID: 48624451-2108815105
                                    • Opcode ID: 1e8502c7aa9bce0ac5c9c84665d1bd4603f5bc17b6a9ad71cb1e9c9127a4ab0e
                                    • Instruction ID: 2be8e7a4728a0517dc27dc12c3131d6ad7d74a0cf4c4abac081bd9629f13e135
                                    • Opcode Fuzzy Hash: 1e8502c7aa9bce0ac5c9c84665d1bd4603f5bc17b6a9ad71cb1e9c9127a4ab0e
                                    • Instruction Fuzzy Hash: 4D51C8B5A14616BFCB10DF9C899097EF7BCBB48240B188669E4A5D7681E334DE44CBE0
                                    Function 039E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                    • API String ID: 48624451-2108815105
                                    • Opcode ID: ccb9ce56c8b5c4e68db8dcf7eb2062adbb18a397062a93c19e716266f0fe6911
                                    • Instruction ID: 7249570b4e81c85c18e159648d43fbf9115cc811dd1e3de3e04015ba6e3c3124
                                    • Opcode Fuzzy Hash: ccb9ce56c8b5c4e68db8dcf7eb2062adbb18a397062a93c19e716266f0fe6911
                                    • Instruction Fuzzy Hash: 9751EAB5A006556ECB31EF5CC99097FB7FDEB84240B048C59E4E6DB641EB74EA408760
                                    Function 03967630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                    Download Yara Rule
                                    Strings
                                    • ExecuteOptions, xrefs: 039A46A0
                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 039A4725
                                    • Execute=1, xrefs: 039A4713
                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 039A4655
                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 039A4742
                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 039A4787
                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 039A46FC
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                    • API String ID: 0-484625025
                                    • Opcode ID: 0eba25808b7675d4affd3c477042ab0e9690c6d10f089c51d00343ded6c62b7e
                                    • Instruction ID: 706b4188ed24bd6d31b34c18e8734e26b4f3857caae0e1f55d017d2aa7cb7e0c
                                    • Opcode Fuzzy Hash: 0eba25808b7675d4affd3c477042ab0e9690c6d10f089c51d00343ded6c62b7e
                                    • Instruction Fuzzy Hash: AE510535A013197ADF20EBEDDC89FAE73BCEF44348F0805A9D505AB291E7719A418F61
                                    Function 0397B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: __aulldvrm
                                    • String ID: +$-$0$0
                                    • API String ID: 1302938615-699404926
                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                    • Instruction ID: 5bb0d9f9e47dcd396d463e0c483d140d41c0bde8ec97799b4a8a814b5510392c
                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                    • Instruction Fuzzy Hash: 3E81D170E052499EDF24DE6CC8917FEBBB9AF853A0F1C465AD861AB7D0C7349840CB50
                                    Function 039E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: %%%u$[$]:%u
                                    • API String ID: 48624451-2819853543
                                    • Opcode ID: c36d1685af601c7a6b330f5114587bc93d9fe7a2903f03b1330e71292603719b
                                    • Instruction ID: 94f2ab5fa6f145252e6d9cd1f5e0f0aa5954f51926c89fb0b310741c700e28a9
                                    • Opcode Fuzzy Hash: c36d1685af601c7a6b330f5114587bc93d9fe7a2903f03b1330e71292603719b
                                    • Instruction Fuzzy Hash: F621567AE00219ABDB11EF79C8409EFB7ECEF94644F080515E955E7241E730DA058BA1
                                    Function 0395F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                    Download Yara Rule
                                    Strings
                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039A02E7
                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039A02BD
                                    • RTL: Re-Waiting, xrefs: 039A031E
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                    • API String ID: 0-2474120054
                                    • Opcode ID: 67565848433a9334151fe346fec471621fbfb9fcd574f8f7e5e9cf4f53612318
                                    • Instruction ID: f1e781f7e13b8e83a3193c3ea7925068890f967ae6e95013f1f6dd33e747fd48
                                    • Opcode Fuzzy Hash: 67565848433a9334151fe346fec471621fbfb9fcd574f8f7e5e9cf4f53612318
                                    • Instruction Fuzzy Hash: 0BE1AE31604B41DFD724CF28C884B2AB7E8BB84364F180A5DF9A68B3D1D774D985CB82
                                    Function 0396BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                    Download Yara Rule
                                    Strings
                                    • RTL: Resource at %p, xrefs: 039A7B8E
                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 039A7B7F
                                    • RTL: Re-Waiting, xrefs: 039A7BAC
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                    • API String ID: 0-871070163
                                    • Opcode ID: 0e1dd68ac149754e2fafb2368102e49723462fdbf75ad8e05d5759696c1b91eb
                                    • Instruction ID: 52f85d73e484a2371b1a10b5a240651cf68e60ae355859dda7d69115649678e1
                                    • Opcode Fuzzy Hash: 0e1dd68ac149754e2fafb2368102e49723462fdbf75ad8e05d5759696c1b91eb
                                    • Instruction Fuzzy Hash: E74116353057029FC724DE69CC41B6AB7E9EF88710F040A2DF95ADB290E730E405CB91
                                    Function 0396B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 039A728C
                                    Strings
                                    • RTL: Resource at %p, xrefs: 039A72A3
                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 039A7294
                                    • RTL: Re-Waiting, xrefs: 039A72C1
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                    • API String ID: 885266447-605551621
                                    • Opcode ID: 3643c1f394d866f6202ff5cf772e7f8fc66953a292d0f8387ea692eeb32dad8b
                                    • Instruction ID: 9bc240f42d6b3a5ee19363d75672e557ed140a56f239e237053d77f525b96510
                                    • Opcode Fuzzy Hash: 3643c1f394d866f6202ff5cf772e7f8fc66953a292d0f8387ea692eeb32dad8b
                                    • Instruction Fuzzy Hash: 2F41F235701606ABC720DEA9CC42B6AB7A9FF84754F140A29FD55EB280EB30F812C7D1
                                    Function 039E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: %%%u$]:%u
                                    • API String ID: 48624451-3050659472
                                    • Opcode ID: 85299bf9ceb2ea07be4195ce5c759cc9456026207cf1da82a92cf0644c7f52c5
                                    • Instruction ID: fc9efadcd74fefd152857d89861e90504bb0df50596b966ada15ed362d484459
                                    • Opcode Fuzzy Hash: 85299bf9ceb2ea07be4195ce5c759cc9456026207cf1da82a92cf0644c7f52c5
                                    • Instruction Fuzzy Hash: 37316676A006199FDB21EF29CC40BEEB7BCEB44650F445956E889E7244EB30DA458FA0
                                    Function 03977D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID: __aulldvrm
                                    • String ID: +$-
                                    • API String ID: 1302938615-2137968064
                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                    • Instruction ID: 9ec955086aede08b46768d9a3cb16ca4043844b9c03c99d78c70502aa6fe6090
                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                    • Instruction Fuzzy Hash: 7191C671E002169BDF24DFA9C985BBEB7B9FF847A0F18451AE865E72D0E7308941CB50
                                    Function 03939126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2456850135.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Offset: 03900000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_3900000_svchost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $$@
                                    • API String ID: 0-1194432280
                                    • Opcode ID: 40ee7dc02726ba163a5cf2946591175969a9030b2670138fb4dce09f95ea7023
                                    • Instruction ID: 4369b38c66408d7a40f8909e0c3d261cdf8ec470ff623c9c4d3e29d8b47c0e19
                                    • Opcode Fuzzy Hash: 40ee7dc02726ba163a5cf2946591175969a9030b2670138fb4dce09f95ea7023
                                    • Instruction Fuzzy Hash: AF813BB6D002699BDB31DF94CC44BEEB7B8AB48750F0445DAE909B7280D7709E81CFA0

                                    Execution Graph

                                    Execution Coverage:3.8%
                                    Dynamic/Decrypted Code Coverage:98%
                                    Signature Coverage:0%
                                    Total number of Nodes:98
                                    Total number of Limit Nodes:4
                                    execution_graph 5365 1a05b00 5366 1a05bba 5365->5366 5373 1a152c0 5366->5373 5368 1a05bc7 5372 1a05bde 5368->5372 5378 1a20080 5368->5378 5374 1a152c6 5373->5374 5376 1a152ce 5373->5376 5374->5376 5391 1a0e050 5374->5391 5376->5368 5384 1a20089 5378->5384 5379 1a203e0 GetComputerNameW 5379->5384 5380 1a20181 VirtualFree 5380->5384 5381 1a0e050 VirtualAlloc 5381->5384 5382 1a203bf GetUserNameW 5382->5384 5383 1a204d6 GetComputerNameW 5383->5384 5384->5379 5384->5380 5384->5381 5384->5382 5384->5383 5385 1a05c7b 5384->5385 5386 1a08070 5385->5386 5389 1a08075 5386->5389 5387 1a08186 CloseHandle 5387->5389 5388 1a080a7 5388->5372 5389->5387 5389->5388 5390 1a080ca GetTokenInformation 5389->5390 5390->5389 5392 1a0e0c3 5391->5392 5393 1a0e0d8 VirtualAlloc 5392->5393 5393->5392 5494 1a05860 5495 1a152c0 VirtualAlloc 5494->5495 5496 1a05869 5495->5496 5497 1a20080 5 API calls 5496->5497 5498 1a0587d 5497->5498 5499 1a08070 2 API calls 5498->5499 5500 1a05870 5499->5500 5399 1a05b42 5401 1a05b07 5399->5401 5401->5399 5405 1a05bb4 5401->5405 5406 1a05b68 5401->5406 5407 1a052a0 5401->5407 5402 1a05cdf CreateThread 5403 1a05c01 CloseHandle 5402->5403 5402->5405 5411 1a054a0 5402->5411 5403->5406 5405->5402 5405->5403 5405->5406 5408 1a052ab 5407->5408 5408->5401 5409 1a053c4 GetSystemDefaultLangID 5408->5409 5410 1a053c3 5408->5410 5409->5410 5410->5401 5412 1a054b5 5411->5412 5431 1a05be2 5432 1a05bfc CloseHandle 5431->5432 5434 1a05be7 5431->5434 5432->5434 5417 1a05b87 CreateThread 5418 1a05b1c 5417->5418 5425 1a05810 5417->5425 5419 1a05c01 CloseHandle 5418->5419 5421 1a05cdf CreateThread 5418->5421 5423 1a05c20 5418->5423 5422 1a05d37 5419->5422 5421->5418 5421->5419 5424 1a054a0 5421->5424 5426 1a05822 5425->5426 5451 1a05b09 5452 1a05b16 5451->5452 5453 1a05c01 CloseHandle 5452->5453 5454 1a05c20 5452->5454 5456 1a05cdf CreateThread 5452->5456 5457 1a05d37 5453->5457 5456->5452 5456->5453 5458 1a054a0 5456->5458 5435 1a055ef 5438 1a055ac 5435->5438 5437 1a055e4 5438->5437 5439 1a23870 5438->5439 5440 1a23876 5439->5440 5442 1a23893 5440->5442 5443 1a23720 5440->5443 5442->5438 5445 1a10c42 5443->5445 5444 1a0e050 VirtualAlloc 5444->5445 5445->5443 5445->5444 5446 1a237dd 5445->5446 5446->5442 5446->5446 5447 1a057f0 5450 1a055ac 5447->5450 5448 1a055e4 5449 1a23870 VirtualAlloc 5449->5450 5450->5448 5450->5449 5485 1a08090 5487 1a0807d 5485->5487 5488 1a080a7 5485->5488 5486 1a08186 CloseHandle 5486->5487 5487->5486 5487->5488 5489 1a080ca GetTokenInformation 5487->5489 5489->5487 5394 1a081b1 5397 1a08075 5394->5397 5395 1a08186 CloseHandle 5395->5397 5396 1a080ca GetTokenInformation 5396->5397 5397->5395 5397->5396 5398 1a080a7 5397->5398 5490 1a052f4 5491 1a052b0 5490->5491 5492 1a053c3 5491->5492 5493 1a053c4 GetSystemDefaultLangID 5491->5493 5493->5492 5481 1a052b7 5483 1a052b0 5481->5483 5484 1a053c3 5481->5484 5482 1a053c4 GetSystemDefaultLangID 5482->5484 5483->5482 5483->5484 5463 1a08178 5465 1a0807d 5463->5465 5464 1a08186 CloseHandle 5464->5465 5465->5464 5466 1a080ca GetTokenInformation 5465->5466 5467 1a080a7 5465->5467 5466->5465

                                    Executed Functions

                                    Function 01A052A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 300 1a052a0-1a052f7 304 1a052fd 300->304 305 1a053fe 300->305 306 1a05430-1a0543e 304->306 307 1a05303 304->307 308 1a05400-1a05424 305->308 309 1a40d4c-1a40d4e 305->309 311 1a05441-1a0544a 306->311 307->306 312 1a05309-1a0530f 307->312 313 1a0542a 308->313 314 1a0539b 308->314 325 1a05450 311->325 326 1a053c4-1a053ca GetSystemDefaultLangID 311->326 315 1a05315 312->315 316 1a053ad 312->316 313->306 313->314 318 1a05413-1a05419 314->318 319 1a0539d-1a053a1 314->319 315->316 317 1a0531b 315->317 321 1a053f3-1a053f9 316->321 322 1a053af-1a053f1 316->322 324 1a05322-1a05328 317->324 327 1a052b0-1a052b5 319->327 328 1a053a7 319->328 321->324 322->318 322->321 330 1a05355 324->330 331 1a0532a 324->331 339 1a05411 325->339 340 1a053c1 325->340 334 1a05475-1a0547b 326->334 329 1a052cb-1a052d1 327->329 328->316 328->327 341 1a052d4-1a052e9 329->341 330->329 331->330 335 1a0532c-1a0536f 331->335 334->309 335->311 342 1a05375-1a05390 335->342 339->318 339->326 340->339 343 1a053c3 340->343 341->341 344 1a052eb 341->344 342->343 348 1a05392-1a0539a 342->348 346 1a052f1 344->346 347 1a0545a-1a0546b 344->347 346->304 347->334 348->319
                                    APIs
                                    • GetSystemDefaultLangID.KERNELBASE ref: 01A053C4
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: DefaultLangSystem
                                    • String ID:
                                    • API String ID: 706401283-0
                                    • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                    • Instruction ID: df87f68b4acf55815aa2ebae4ad1b7ec71a249d8ed1fa76fec23df80ac7d3d7b
                                    • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                    • Instruction Fuzzy Hash: 9241E671D0DA958FE72B432D74782B17FE49B06362F8E04E6E193C61E3D1A948418F27
                                    Function 01A20080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 1a20080-1a20286 2 1a20099-1a20575 0->2 3 1a2028c 0->3 7 1a20155 2->7 8 1a2057b 2->8 5 1a20445 3->5 5->2 6 1a2044b-1a20457 5->6 9 1a20458-1a20472 GetComputerNameW 6->9 11 1a202ef-1a20495 call 1a0e050 * 2 7->11 8->7 10 1a20581-1a20587 8->10 15 1a203ee-1a203f4 9->15 16 1a2024c-1a20253 9->16 13 1a2058b 10->13 11->9 50 1a2043e 11->50 18 1a20181 VirtualFree 13->18 19 1a2058c-1a20591 13->19 37 1a200da-1a2023f 15->37 38 1a203fa 15->38 23 1a201e6 16->23 24 1a20255 16->24 20 1a201a8-1a202ac call 1a37164 18->20 21 1a20597 19->21 22 1a204ab-1a204af 19->22 27 1a202b1-1a202be 20->27 21->22 30 1a2059d 21->30 48 1a204c7 22->48 23->27 28 1a201ec-1a20313 call 1a3715c 23->28 31 1a202d3 24->31 33 1a202c4 27->33 34 1a203bf-1a203d9 GetUserNameW 27->34 53 1a20318-1a2031e 28->53 30->22 31->23 36 1a202d9 31->36 33->34 43 1a202ca 33->43 44 1a20331 34->44 36->11 37->16 51 1a20241-1a2024a 37->51 38->37 45 1a20400 38->45 43->31 54 1a20171 44->54 55 1a20337 44->55 52 1a2b1ee-1a2b49f 45->52 59 1a204cc-1a204e6 call 1a39970 GetComputerNameW 48->59 50->5 51->16 51->27 57 1a20324 53->57 58 1a20568-1a2056b 53->58 60 1a20173 54->60 61 1a2013f-1a20146 54->61 55->54 56 1a2033d 55->56 63 1a205d0-1a205d9 56->63 57->58 65 1a2032a 57->65 58->59 70 1a20131 59->70 71 1a204ec-1a20514 59->71 62 1a20230 60->62 61->13 62->48 67 1a20236-1a205c2 62->67 63->52 65->44 67->48 74 1a205c8-1a205c9 67->74 72 1a20137 70->72 73 1a20089-1a2008c 70->73 71->58 72->73 77 1a2013d 72->77 73->20 76 1a20092 73->76 74->63 76->20 78 1a20098 76->78 77->18 77->61 78->2
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: ComputerName
                                    • String ID:
                                    • API String ID: 3545744682-0
                                    • Opcode ID: dcfd34c7eb4499275a99a04eb004f20dc865f45605bfa7978ac2efba590f8dcc
                                    • Instruction ID: a8725a34b80578e2fd3c32167152b93de0828ace0ded9eb8d19b18e6bcbb52ad
                                    • Opcode Fuzzy Hash: dcfd34c7eb4499275a99a04eb004f20dc865f45605bfa7978ac2efba590f8dcc
                                    • Instruction Fuzzy Hash: 97D12232418B1A8BDB28EF5CDA457EAB7E1FB90310F08461FE946C3165DA74D6458BC2
                                    Function 01A08070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 79 1a08070-1a0817e 81 1a08180 79->81 82 1a0813d-1a081a5 79->82 83 1a08184 81->83 84 1a0815f 81->84 95 1a081a7 82->95 96 1a081bd-1a081ca 82->96 86 1a08186 CloseHandle 83->86 87 1a0818c-1a08192 83->87 84->82 85 1a08161 84->85 90 1a08163-1a08170 call 1a37164 85->90 86->87 91 1a08194 87->91 92 1a08115-1a08118 87->92 90->86 102 1a08172 90->102 91->92 93 1a0819a 91->93 97 1a080a7 92->97 98 1a08119-1a0811a 92->98 107 1a081d0 96->107 108 1a080f3 96->108 98->97 101 1a0811c-1a0820f 98->101 105 1a08215-1a0821e 101->105 106 1a0808e-1a08096 101->106 102->87 105->106 117 1a08224 105->117 106->83 106->97 111 1a080fa-1a0810b 107->111 109 1a080f5 108->109 110 1a0808c 108->110 109->111 113 1a08075 109->113 110->106 112 1a080b8-1a080c9 111->112 112->111 113->110 116 1a08077 113->116 119 1a081d7-1a081e6 call 1a3715c 116->119 117->119 120 1a08226 117->120 125 1a08122-1a08127 119->125 126 1a081ed-1a081f0 119->126 120->119 122 1a08228-1a082ee call 1a05d90 120->122 143 1a082f0 122->143 144 1a0830c-1a0831e 122->144 131 1a0807d-1a08087 125->131 132 1a0812d 125->132 128 1a081f6 126->128 129 1a080da-1a080f1 126->129 128->129 137 1a081fc-1a08202 128->137 142 1a080aa-1a080ad 129->142 135 1a08089 131->135 136 1a080ca-1a080d8 GetTokenInformation 131->136 133 1a08133 132->133 134 1a080a8 132->134 133->126 134->142 135->136 140 1a0808b 135->140 145 1a0810f 136->145 141 1a08203 137->141 140->110 141->90 149 1a08209 141->149 142->90 150 1a080b3 142->150 143->144 151 1a082f2 143->151 146 1a08320 144->146 147 1a082a1-1a082ba call 1a05d90 call 1a0ec00 144->147 145->132 148 1a08111 145->148 152 1a08322 146->152 153 1a082f7-1a082fc call 1a05d90 146->153 147->146 148->132 155 1a08113 148->155 150->112 150->141 151->153 152->153 158 1a08324-1a08326 152->158 163 1a08302 153->163 164 1a08253-1a08265 call 1a21280 153->164 155->92 161 1a08328 158->161 169 1a08335 161->169 170 1a082df-1a0832b 161->170 163->164 168 1a08308-1a0830a 163->168 164->161 174 1a0826b 164->174 168->144 172 1a0826e-1a08285 169->172 170->169 175 1a0832d-1a08331 170->175 176 1a08287 172->176 177 1a0829b-1a0829d 172->177 174->172 178 1a08239 174->178 175->169 179 1a0824c 176->179 177->147 178->161 181 1a0823f-1a08243 178->181 179->177 180 1a0824e-1a08252 179->180 180->172 181->153 181->179
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e5eca3b617ff20b13951121d243e6d079118d2c523d8733afee945c832315b6
                                    • Instruction ID: 312cb257395fb53801f8a62d601f217abfa936bd9f9eb30e4ee4b932ae383b6d
                                    • Opcode Fuzzy Hash: 4e5eca3b617ff20b13951121d243e6d079118d2c523d8733afee945c832315b6
                                    • Instruction Fuzzy Hash: 2161BC31E0CB459FE76BCB2CB8582356BB0BF89360F48465AD55AC31E2DB3C9844875E
                                    Function 01A05B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 182 1a05b09-1a05b3b 186 1a05cff-1a05d01 182->186 187 1a05bb4 186->187 188 1a05d07 186->188 189 1a05c01-1a05d41 CloseHandle 187->189 190 1a05cda-1a05ce4 CreateThread 187->190 188->187 191 1a05d0d 188->191 197 1a05d43 189->197 198 1a05d4b-1a05d52 189->198 190->189 195 1a05cea 190->195 195->189 196 1a05cf0-1a05cf6 195->196 196->186 201 1a05c20-1a05c68 196->201 199 1a05d54 197->199 198->199 200 1a05d45-1a05d47 198->200 203 1a05d49 200->203 204 1a05d5f 200->204 203->198 203->204 205 1a05d65 204->205 205->205
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                    • Instruction ID: 14492a97b37dfe2a4b725479054a1ad440f568fa99e00ac5edae731e7346bb28
                                    • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                    • Instruction Fuzzy Hash: C201B530D0DA468FEB579728BC183797BF0EB41324F5D02ABC487CA0D2EAA44505CF12
                                    Function 01A05910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 206 1a05910-1a05912 207 1a05950-1a05968 206->207 208 1a05915-1a05928 call 1a39970 206->208 207->208 209 1a0596a 207->209 214 1a059b8 call 1a20df0 208->214 211 1a05970-1a0597b 209->211 212 1a0592f 209->212 215 1a059d4 211->215 216 1a0597d 211->216 212->208 217 1a05931-1a1072c 212->217 226 1a059bd-1a059c2 call 1a05d90 214->226 219 1a059d8-1a059de 215->219 220 1a0593b-1a05a15 call 1a211a0 215->220 216->215 222 1a0597f-1a05981 216->222 223 1a10732-1a10738 217->223 224 1a10806-1a10809 217->224 237 1a059e0 219->237 238 1a05994-1a0599c 219->238 227 1a05983-1a05a38 222->227 229 1a10800 223->229 230 1a1073e 223->230 235 1a1079d-1a107a6 224->235 241 1a059c7-1a059ce 226->241 227->238 239 1a05a3e 227->239 229->224 242 1a106b3-1a106b7 229->242 230->229 236 1a10744-1a10774 230->236 248 1a10791-1a10793 235->248 249 1a107a8 235->249 254 1a106d5-1a106d9 236->254 255 1a1077a-1a1081c 236->255 237->238 252 1a059e2-1a059ec 237->252 250 1a05a02 238->250 251 1a0599e-1a059f7 238->251 244 1a05a2c-1a05a34 239->244 245 1a059d0 241->245 246 1a05a1a-1a05a26 241->246 242->235 247 1a106bd 242->247 253 1a059d9-1a059de call 1a32190 244->253 245->246 257 1a059d2 245->257 246->244 256 1a059a1-1a059b5 call 1a05e10 246->256 247->235 258 1a106c3-1a107fe 247->258 259 1a107ca-1a107cc 248->259 249->248 260 1a107aa 249->260 250->211 251->250 262 1a05a62-1a05a6e 252->262 263 1a059ee-1a059ef 252->263 253->237 253->238 268 1a106db 254->268 269 1a106df 254->269 255->235 256->214 279 1a05a08-1a05a0b 256->279 257->253 258->229 260->259 266 1a05a70 262->266 267 1a05a75-1a05ab3 call 1a21280 262->267 263->227 272 1a059f1 263->272 266->267 273 1a05a72 266->273 294 1a05ab5 267->294 295 1a05abb-1a05af2 267->295 268->269 274 1a106dd 268->274 269->235 272->208 273->267 274->269 280 1a1c0cc 274->280 279->238 284 1a05a0d 279->284 282 1a1c0e8-1a1c102 280->282 283 1a1c0ce-1a1c0d0 280->283 285 1a1c0d2-1a1c0df 282->285 287 1a1c104 282->287 283->285 291 1a05991 284->291 292 1a05932 284->292 296 1a1c0e7 285->296 287->285 287->296 291->292 297 1a05993 291->297 294->295 298 1a05ab7-1a05ab9 294->298 295->242 297->238 298->295
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                    • Instruction ID: 537f37a2a77f2b9ddaf10e37c8a1291e1f4e70e8b1d374e785d099194b3a7a51
                                    • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                    • Instruction Fuzzy Hash: C9F14C30B1CF694FD76B971C69543BA77E2FB9A320F48419ED04AC329ADD249C468782
                                    Function 01A05B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 351 1a05b42-1a05b47 call 1a05d90 353 1a05b4c-1a05b52 351->353 355 1a05c42-1a05c62 call 1a21280 353->355 356 1a05b0d 353->356 370 1a05c24 355->370 371 1a05c68 355->371 356->355 357 1a05b13 356->357 359 1a05c8f-1a05c96 357->359 361 1a05c98-1a05c9a 359->361 362 1a05c29 359->362 363 1a05c9c 361->363 364 1a05cc2-1a05cc9 call 1a052a0 362->364 365 1a05c2f-1a05c36 362->365 375 1a05bfa 363->375 376 1a05d0e-1a05d18 363->376 383 1a05c69 364->383 384 1a05ccb 364->384 365->364 369 1a05c3c 365->369 369->351 372 1a05c14-1a05c19 370->372 373 1a05c26 370->373 380 1a05cc0 372->380 381 1a05c20-1a05c21 372->381 373->372 382 1a05c28 373->382 375->376 377 1a05c00 375->377 378 1a05d54 376->378 379 1a05d1a 376->379 377->372 387 1a05d4b-1a05d52 379->387 380->364 381->371 382->362 385 1a05b68-1a05d75 383->385 386 1a05c6f 383->386 384->363 388 1a05ccd 384->388 386->385 389 1a05c75 386->389 387->378 390 1a05d45-1a05d47 387->390 388->363 391 1a05ccf-1a05cdd 388->391 389->359 394 1a05d49 390->394 395 1a05d5f 390->395 393 1a05cdf-1a05ce4 CreateThread 391->393 396 1a05c01-1a05c05 CloseHandle 393->396 397 1a05cea 393->397 394->387 394->395 399 1a05d65 395->399 401 1a05d37-1a05d41 396->401 397->396 400 1a05cf0-1a05cf6 397->400 399->399 400->381 402 1a05cff-1a05d01 400->402 401->387 405 1a05d43 401->405 403 1a05bb4 402->403 404 1a05d07 402->404 403->396 406 1a05cda-1a05cdd 403->406 404->403 407 1a05d0d 404->407 405->378 406->393
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                    • Instruction ID: 7673ee8f05997fb35beb93116b23c9a16d467018e2c9f04815b9396fc376232e
                                    • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                    • Instruction Fuzzy Hash: BF21B030E0C6458FEB6B9B1CB4487742BE1EB46310F4D03A7D147CF1E2DA2898498F16
                                    Function 01A05B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 408 1a05b87-1a05b99 CreateThread 411 1a05cff-1a05d01 408->411 412 1a05bb4 411->412 413 1a05d07 411->413 414 1a05c01-1a05c05 CloseHandle 412->414 415 1a05cda-1a05ce4 CreateThread 412->415 413->412 416 1a05d0d 413->416 419 1a05d37-1a05d41 414->419 415->414 420 1a05cea 415->420 422 1a05d43 419->422 423 1a05d4b-1a05d52 419->423 420->414 421 1a05cf0-1a05cf6 420->421 421->411 426 1a05c20-1a05c68 421->426 424 1a05d54 422->424 423->424 425 1a05d45-1a05d47 423->425 428 1a05d49 425->428 429 1a05d5f 425->429 428->423 428->429 430 1a05d65 429->430 430->430
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                    • Instruction ID: 34473bea931d50929a92d35c31ec089b351ba790f12a175c00be34c5be1e604b
                                    • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                    • Instruction Fuzzy Hash: 06E08630E0DB444FEB5B9B286C103293EE5EB89314F0902CFC44AD71D2DB7919054F86
                                    Function 01A0599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 431 1a0599b-1a0599e 432 1a059f7 431->432 433 1a05a02 432->433 435 1a059d4 433->435 436 1a0597d 433->436 437 1a059d8-1a059de 435->437 438 1a0593b-1a05a15 call 1a211a0 435->438 436->435 439 1a0597f-1a05981 436->439 445 1a059e0 437->445 446 1a05994-1a0599c 437->446 441 1a05983-1a05a38 439->441 441->446 447 1a05a3e 441->447 445->446 451 1a059e2-1a059ec 445->451 446->433 450 1a0599e 446->450 449 1a05a2c-1a05a34 447->449 452 1a059d9-1a059de call 1a32190 449->452 450->432 453 1a05a62-1a05a6e 451->453 454 1a059ee-1a059ef 451->454 452->445 452->446 455 1a05a70 453->455 456 1a05a75-1a05ab3 call 1a21280 453->456 454->441 458 1a059f1 call 1a39970 454->458 455->456 460 1a05a72 455->460 470 1a05ab5 456->470 471 1a05abb-1a05af2 456->471 466 1a059b8 call 1a20df0 458->466 460->456 472 1a059bd-1a059c2 call 1a05d90 466->472 470->471 473 1a05ab7-1a05ab9 470->473 477 1a106b3-1a106b7 471->477 476 1a059c7-1a059ce 472->476 473->471 478 1a059d0 476->478 479 1a05a1a-1a05a26 476->479 480 1a1079d-1a107a6 477->480 481 1a106bd 477->481 478->479 483 1a059d2 478->483 479->449 482 1a059a1-1a059b5 call 1a05e10 479->482 485 1a10791-1a10793 480->485 486 1a107a8 480->486 481->480 484 1a106c3-1a10800 481->484 482->466 492 1a05a08-1a05a0b 482->492 483->452 484->477 495 1a10806-1a10809 484->495 488 1a107ca-1a107cc 485->488 486->485 490 1a107aa 486->490 490->488 492->446 494 1a05a0d 492->494 498 1a05991 494->498 499 1a05932 494->499 495->480 498->499 500 1a05993 498->500 500->446
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: wcscpy
                                    • String ID:
                                    • API String ID: 1284135714-0
                                    • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                    • Instruction ID: a8e8553fb7efe6c83a67a2e5daeb3c17a434a65a22f7fb62b7dc1069758c8682
                                    • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                    • Instruction Fuzzy Hash: BC01F970E0E7814FEB1B9B2C75483792961FBA63B4F1C045B914AC71D2D83445418F45
                                    Function 01A05BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 501 1a05be2-1a05be5 502 1a05be7-1a05ca3 501->502 503 1a05bfc-1a05c05 CloseHandle 501->503 507 1a05ca5 502->507 508 1a05ca8-1a05cb3 call 1a05e10 502->508 509 1a05d37-1a05d41 503->509 507->508 511 1a05ca7 507->511 517 1a05cb5 508->517 518 1a05d26 508->518 513 1a05d43 509->513 514 1a05d4b-1a05d52 509->514 511->509 515 1a05d54 513->515 514->515 516 1a05d45-1a05d47 514->516 521 1a05d49 516->521 522 1a05d5f 516->522 517->518 520 1a05cb7 517->520 519 1a05d27-1a05d2a call 1a05910 518->519 527 1a05d2e 519->527 524 1a05d5b-1a05d5d 520->524 521->514 521->522 526 1a05d65 522->526 524->522 526->526 527->524
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                    • Instruction ID: e360f846d67bf8c3494c2e86eada7779dadf94e909fac1ca57445ce8013b5bf6
                                    • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                    • Instruction Fuzzy Hash: 1AE0C231D08D0ACFEF47E71CF80927526E0D71432030C0A238802C71D0E418DA4A4F02
                                    Function 01A08090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 528 1a08090-1a08096 529 1a08184 528->529 530 1a0813c 528->530 531 1a08186 CloseHandle 529->531 532 1a0818c-1a08192 529->532 531->532 533 1a08194 532->533 534 1a08115-1a08118 532->534 533->534 535 1a0819a 533->535 536 1a080a7 534->536 537 1a08119-1a0811a 534->537 535->530 537->536 538 1a0811c-1a0820f 537->538 540 1a08215-1a0821e 538->540 541 1a0808e-1a08096 538->541 540->541 543 1a08224 540->543 541->529 541->536 544 1a08226 543->544 545 1a081d7-1a081e6 call 1a3715c 543->545 544->545 547 1a08228-1a082ee call 1a05d90 544->547 550 1a08122-1a08127 545->550 551 1a081ed-1a081f0 545->551 568 1a082f0 547->568 569 1a0830c-1a0831e 547->569 556 1a0807d-1a08087 550->556 557 1a0812d 550->557 553 1a081f6 551->553 554 1a080da-1a080f1 551->554 553->554 562 1a081fc-1a08202 553->562 567 1a080aa-1a080ad 554->567 560 1a08089 556->560 561 1a080ca-1a0810f GetTokenInformation 556->561 558 1a08133 557->558 559 1a080a8 557->559 558->551 559->567 560->561 565 1a0808b-1a0808c 560->565 561->557 573 1a08111 561->573 566 1a08203 562->566 565->541 574 1a08163-1a08170 call 1a37164 566->574 575 1a08209 566->575 567->574 576 1a080b3 567->576 568->569 577 1a082f2 568->577 571 1a08320 569->571 572 1a082a1-1a082ba call 1a05d90 call 1a0ec00 569->572 578 1a08322 571->578 579 1a082f7-1a082fc call 1a05d90 571->579 572->571 573->557 583 1a08113 573->583 574->531 594 1a08172 574->594 576->566 585 1a080b8-1a0810b 576->585 577->579 578->579 588 1a08324-1a08326 578->588 596 1a08302 579->596 597 1a08253-1a08265 call 1a21280 579->597 583->534 593 1a08328 588->593 603 1a08335 593->603 604 1a082df-1a0832b 593->604 594->532 596->597 602 1a08308-1a0830a 596->602 597->593 608 1a0826b 597->608 602->569 606 1a0826e-1a08285 603->606 604->603 609 1a0832d-1a08331 604->609 610 1a08287 606->610 611 1a0829b-1a0829d 606->611 608->606 612 1a08239 608->612 609->603 613 1a0824c 610->613 611->572 612->593 615 1a0823f-1a08243 612->615 613->611 614 1a0824e-1a08252 613->614 614->606 615->579 615->613
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                    • Instruction ID: 5e7e49a84f87af3c9e4c714b6d29d0ca1b34a6d25bf2783029f5d14fbdba8a37
                                    • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                    • Instruction Fuzzy Hash: 48C08C70D38B07D66A3B034C3C0B0B46E218F02360B0C00068C02802E0D54C8A0140EF
                                    Function 01A0817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 616 1a0817f 617 1a08184 616->617 618 1a08186 CloseHandle 617->618 619 1a0818c-1a08192 617->619 618->619 620 1a08194 619->620 621 1a08115-1a08118 619->621 620->621 622 1a0819a 620->622 623 1a080a7 621->623 624 1a08119-1a0811a 621->624 624->623 626 1a0811c-1a0820f 624->626 628 1a08215-1a0821e 626->628 629 1a0808e-1a08096 626->629 628->629 631 1a08224 628->631 629->617 629->623 632 1a08226 631->632 633 1a081d7-1a081e6 call 1a3715c 631->633 632->633 635 1a08228-1a082ee call 1a05d90 632->635 638 1a08122-1a08127 633->638 639 1a081ed-1a081f0 633->639 656 1a082f0 635->656 657 1a0830c-1a0831e 635->657 644 1a0807d-1a08087 638->644 645 1a0812d 638->645 641 1a081f6 639->641 642 1a080da-1a080f1 639->642 641->642 650 1a081fc-1a08202 641->650 655 1a080aa-1a080ad 642->655 648 1a08089 644->648 649 1a080ca-1a0810f GetTokenInformation 644->649 646 1a08133 645->646 647 1a080a8 645->647 646->639 647->655 648->649 653 1a0808b-1a0808c 648->653 649->645 661 1a08111 649->661 654 1a08203 650->654 653->629 662 1a08163-1a08170 call 1a37164 654->662 663 1a08209 654->663 655->662 664 1a080b3 655->664 656->657 665 1a082f2 656->665 659 1a08320 657->659 660 1a082a1-1a082ba call 1a05d90 call 1a0ec00 657->660 666 1a08322 659->666 667 1a082f7-1a082fc call 1a05d90 659->667 660->659 661->645 671 1a08113 661->671 662->618 682 1a08172 662->682 664->654 673 1a080b8-1a0810b 664->673 665->667 666->667 676 1a08324-1a08326 666->676 684 1a08302 667->684 685 1a08253-1a08265 call 1a21280 667->685 671->621 681 1a08328 676->681 691 1a08335 681->691 692 1a082df-1a0832b 681->692 682->619 684->685 690 1a08308-1a0830a 684->690 685->681 696 1a0826b 685->696 690->657 694 1a0826e-1a08285 691->694 692->691 697 1a0832d-1a08331 692->697 698 1a08287 694->698 699 1a0829b-1a0829d 694->699 696->694 700 1a08239 696->700 697->691 701 1a0824c 698->701 699->660 700->681 703 1a0823f-1a08243 700->703 701->699 702 1a0824e-1a08252 701->702 702->694 703->667 703->701
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.2159252200.0000000001A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_1a00000_maintenanceservice.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                    • Instruction ID: a1be1fe48609718bed64937962429a806a493937c4a851710e76b8a74e59fc1f
                                    • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                    • Instruction Fuzzy Hash: A5C092B4D6870987693B278C3C0A4B57D624F43760F0C8412EE069A3E1D19C5D4081FA